CHAPTER 8: SECURING INFORMATION SYSTEMS

8-1 WHY ARE INFORMATION SYSTEMS VULNERABLE TO DESTRUCTION,

ERROR, AND ABUSE?
IMPACT OF INFORMATION SYSTEMS VULNERABILITY IN BUSINESS:
Can you imagine what would happen if you tried to link to the Internet without a firewall or
antivirus software? Your computer would be disabled within a few seconds, and it might take
you many days to recover. If you used the computer to run your business, you might not be
able to sell to your customers or place orders with your suppliers while it was down. And you
might find that your computer system had been penetrated by outsiders, who perhaps stole or
destroyed valuable data, including confidential payment data from your customers. If too
much data was destroyed or divulged, your business might never be able to recover!

If you operate a business today, you need to make security and control a top priority.
Security refers to the policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information systems. Controls
are methods, policies, and organizational procedures that ensure the safety of the
organization’s assets, the accuracy and reliability of its records, and operational adherence to
management standards.

WHY SYSTEMS ARE VULNERABLE:

When large amounts of data are stored in electronic form, they are vulnerable to many kinds
of threats. Through communications networks, information systems in different locations are
interconnected. The potential for unauthorized access or damage is not limited to a single
location but can occur at many access points in the network. Figure 8. 1 illustrates the most
common threats against contemporary information systems. They can stem from technical,
organizational, and environmental factors compounded by poor management decisions. In the
multitier client/server computing environment illustrated here, vulnerabilities exist at each
layer and in the communications between the layers.

1
Security Risks and Vulnerabilities

1. User Errors and Unauthorized Access:

o Users at the client level can inadvertently introduce errors or gain
unauthorized access to systems, leading to potential harm.

2. Data Interception in Communication Line:

o Data transmitted over networks can be intercepted, stolen, or altered without
authorization. Network disruptions can also occur due to radiation
interference.

3. Attack on corporate servers:

o Intruders can launch denial-of-service (DoS) attacks or deploy malicious
software to disrupt website operations.
o Once inside corporate systems, intruders can steal, destroy, or modify
sensitive corporate data stored in databases or files.

4. Hardware and Software Failures:

o System malfunctions can arise from hardware breakdowns, improper
configurations, or damage due to misuse. Software failures can result from
programming errors, improper installations, or unauthorized changes.

5. Natural Disasters:
o Power failures, floods, fires, and other natural disasters can significantly
disrupt computer systems.

6. Partnering Risks:

2
 o Collaborating with other companies, especially those offshore, can expose
systems to vulnerabilities if sensitive information resides on external
networks.

7. Data Loss and Breaches:

o Without strong security measures, valuable data can be lost, destroyed, or
accessed by unauthorized parties, risking the exposure of trade secrets or
personal information.

8. Mobile Device Vulnerabilities:

o The portability of smartphones and tablets makes them easy to lose or steal.
These devices share security weaknesses with other internet-connected devices
and can be targets for malware. They often store sensitive corporate data,
making them gateways for intruders to access internal systems.

INTERNET VULNERABILITIES:
Large public networks, such as the Internet, are more vulnerable than internal networks
because they are virtually open to anyone. The Internet is so huge that when abuses do occur,
they can have an enormously widespread impact. When the Internet links to the corporate
network, the organization’s information systems are even more vulnerable to actions from
outsiders.

Vulnerability has also increased from widespread use of email, instant messaging
(IM), and peer-to-peer (P2P) file-sharing programs.

 Email may contain attachments that serve as springboards for malicious software or
unauthorized access to internal corporate systems. Employees may use email
messages to transmit valuable trade secrets, financial data, or confidential customer
information to unauthorized recipients.
 Instant messaging activity over the Internet can in some cases be used as a back door
to an otherwise secure network.
 Sharing files over P2P networks, such as those for illegal music sharing, can also
transmit malicious software or expose information on either individual or corporate
computers to outsiders.

Wireless Security Challenges (Summary from ChatGpt)

1. Ease of Access Wi-Fi networks can be easily targeted by attackers with basic tools
like laptops and software. The design of Wi-Fi makes it easy for devices to connect,
but this also opens the door to intrusions.
2. SSID Exposure Wi-Fi networks broadcast their names (SSIDs) frequently, making
them easy to detect. Attackers can use sniffing tools to capture these names and learn
about the network.
3. War Driving Many wireless networks lack protections against war driving, where
attackers drive around to find unprotected networks. They can intercept data from a
distance without needing direct access.

3
 4. Unauthorized Access If an intruder connects to a network (even without the right
credentials), they can explore the network and potentially access other users' files and
sensitive information.
5. Rogue Access Points Attackers can create fake access points near legitimate ones.
Unsuspecting users might connect to these rogue points, allowing attackers to capture
sensitive data like usernames and passwords.
6. Lack of Basic Protections Many wireless networks do not use strong security
measures like WPA3, which protects data with encryption. This makes them
vulnerable to attacks and data interception.

Solutions

To protect against these risks, users should:

 Use WPA3 encryption for stronger security.

 Hide the SSID to make the network less visible.
 Regularly check for unauthorized devices.
 Educate users about the risks of connecting to unknown networks.

MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN HORSES, AND

SPYWARE

Malicious software programs are referred to as malware and include a variety of threats such
as computer viruses, worms, and Trojan horses.

1. A computer virus is a harmful software program that attaches itself to other

programs or files and runs without the user's knowledge. Viruses often have a
"payload," which can be harmless (like displaying a message) or very damaging (such
as deleting files, slowing down the computer, or causing programs to malfunction).
Viruses typically spread from computer to computer when humans take an action,
such as sending an email attachment or copying an infected file.

(In the context of computer viruses, a "payload" refers to the harmful actions or
effects that the virus carries out once it infects a system. This can include deleting
files, stealing data, displaying unwanted messages, or causing other damage to the
computer or its software. Essentially, the payload is the part of the virus that performs
the actual malicious activity.)

2. Worms are independent computer programs that copy themselves from one computer
to other computers over a network. Unlike viruses, worms can operate on their own
without attaching to other computer program files and rely less on human behavior to
spread rapidly from computer to computer. Worms destroy data and programs as well
as disrupt or even halt the operation of computer networks.

3. A Trojan horse is a type of malicious software that disguises itself as a legitimate

program to trick users into downloading or installing it. Unlike viruses or worms,
Trojans do not replicate themselves. Instead, they create a backdoor for attackers to
access the infected system, potentially leading to data theft, system damage, or other
malicious activities. Users often unknowingly install Trojans by downloading
seemingly harmless software or clicking on deceptive links.

4
 4. SQL Injection Attacks: These attacks take advantage of weaknesses in poorly
designed web applications to insert harmful code into a company's systems. This
happens when the application doesn’t properly check or filter user input, like when
placing an order online. An attacker exploits this flaw by sending a malicious SQL
query to the database, allowing them to access data, install harmful code, or reach
other systems on the network.

5. Malware known as ransomware is proliferating on both desktop and mobile devices.

Ransomware tries to extort money from users by taking control of their computers,
blocking access to files, or displaying annoying pop-up messages. For example, the
ransomware called WannaCry that attacked computers in more than 150 countries in
May 2017 encrypts an infected computer’s files, forcing users to pay hundreds of
dollars to regain access.

6. Spyware is a type of malicious software that secretly monitors and collects

information about a user's activities without their knowledge. It can gather personal
data, such as browsing habits, login credentials, and even sensitive information like
credit card numbers.
7. Keyloggers are a specific type of spyware designed to record every keystroke a user
makes on their keyboard. This includes everything typed, such as passwords, emails,
and messages. Keyloggers can be installed as software or as hardware devices.

8. Drive-by downloads, consisting of malware that comes with a downloaded file that a
user intentionally or unintentionally requests. Drive-by downloads are a type of cyber
attack where malicious software is automatically downloaded to a user's device
without their consent or knowledge. This typically occurs when a user visits a
compromised or malicious website, often through deceptive links or ads.

Sources of Malicious Software

 Common Sources of Viruses: Infected email attachments, downloadable software
from untrustworthy sites, and file-sharing networks.
 Common Sources of worms: Vulnerabilities in networked systems, infected email
links, and compromised websites.
 Common Sources of Trojan Horses: Free software downloads, fake updates, and
deceptive links in emails or messages.
 Common Sources of Spyware: Infected software installations, malicious websites,
and ads or pop-ups that encourage downloads.

Prevention Tips
To protect against these types of malware, users should:

 Use Antivirus Software: Regularly update and run scans to detect and remove
malware.

5
  Be Cautious with Downloads: Only download software from trusted sources and
avoid clicking on suspicious links.
 Keep Software Updated: Ensure operating systems and applications are up to date to
fix vulnerabilities.
 Educate Yourself: Stay informed about the latest security threats and safe browsing
practices.

HACKERS AND COMPUTER CRIME:

A hacker is an individual who intends to gain unauthorized access to a computer system.
Within the hacking community, the term cracker is typically used to denote a hacker with
criminal intent, although in the public press, the terms hacker and cracker are used
interchangeably. Hackers gain unauthorized access by finding weaknesses in the security
protections websites and computer systems employ. Hacker activities have broadened beyond
mere system intrusion to include theft of goods and information as well as system damage
and cybervandalism. Hackers attempting to hide their true identities often spoof, or
misrepresent, themselves by using fake email addresses or masquerading as someone else.
Cybervandalism refers to the deliberate destruction, defacement, or disruption of websites,
online content, or digital assets. It often involves unauthorized access to digital platforms
with the intent to cause harm, spread misinformation, or create chaos.
Spoofing and Sniffing
Spoofing may also involve redirecting a web link to an address different from the intended
one, with the site masquerading as the intended destination. For example, if hackers redirect
customers to a fake website that looks almost exactly like the true site, they can then collect
and process orders, effectively stealing business as well as sensitive customer information
from the true site.

A sniffer is a type of eavesdropping program that monitors information traveling over a

network. When used legitimately, sniffers help identify potential network trouble spots or
criminal activity on networks, but when used for criminal purposes, they can be damaging
and very difficult to detect. Sniffers enable hackers to steal proprietary information from
anywhere on a network, including email messages, company files, and confidential reports.

Denial-of-Service Attacks
In a denial-of-service (DoS) attack , hackers flood a network server or web server with
many thousands of false communications or requests for services to crash the network. The
network receives so many queries that it cannot keep up with them and is thus unavailable to
service legitimate requests.

A distributed denial-of-service (DDoS) attack uses numerous computers to inundate and

overwhelm the network from numerous launch points.

A botnet is a network of infected computers or devices (often referred to as "bots" or

"zombies") that are controlled remotely by a cybercriminal, typically without the users'
knowledge. Botnets are created by infecting devices with malware, allowing the attacker to
manage them collectively. Perpetrators of DDoS attacks often use thousands of botnet or
zombie PCs infected with malicious software without their owners’ knowledge. When

6
hackers infect enough computers, they can use the amassed resources of the botnet to launch
DDoS attacks, phishing campaigns, or unsolicited spam email.

Effect of DOS or DDOS attack: Although DoS attacks do not destroy information or access
restricted areas of a company’s information systems, they often cause a website to shut down,
making it impossible for legitimate users to access the site. For busy e-commerce sites, these
attacks are costly; while the site is shut down, customers cannot make purchases. Especially
vulnerable are small and midsize businesses whose networks tend to be less protected than
those of large corporations.

Computer Crime
Computer crime is defined by the U.S. Department of Justice as “any violations of criminal
law that involve a knowledge of computer technology for their perpetration, investigation, or
prosecution

Table 8. 2 provides examples of the computer as both a target and an instrument of

crime.

TABLE 8. 2 EXAMPLES OF COMPUTER CRIME

COMPUTERS AS TARGETS OF CRIME

 Breaching the confidentiality of protected computerized data
 Accessing a computer system without authority
 Knowingly accessing a protected computer to commit fraud
 Intentionally accessing a protected computer and causing damage negligently or
deliberately
 Knowingly transmitting a program, program code, or command that intentionally
causes damage to a protected computer
 Threatening to cause damage to a protected computer

COMPUTERS AS INSTRUMENTS OF CRIME

 Theft of trade secrets
 Unauthorized copying of software or copyrighted intellectual property, such as
articles, books, music, and video
 Schemes to defraud
 Using email or messaging for threats or harassment
 Intentionally attempting to intercept electronic communication
 Illegally accessing stored electronic communications, including email and voice mail
 Transmitting or possessing child pornography by using a computer

Identity Theft
Identity theft : With the growth of the Internet and electronic commerce, identity theft has
become especially troubling. Identity theft is a crime in which an imposter obtains key pieces
of personal information, such as social security numbers, driver’s license numbers, or credit
card numbers, to impersonate someone else. The information may be used to obtain credit,
merchandise, or services in the name of the victim or to provide the thief with false
credentials. Identity theft has flourished on the Internet, with credit card files a major target
of website hackers.

7
Phishing: One increasingly popular tactic is a form of spoofing called phishing. Phishing
involves setting up fake websites or sending email messages that look like those of legitimate
businesses to ask users for confidential personal data. The email message instructs recipients
to update or confirm records by providing social security numbers, bank and credit card
information, and other confidential data, either by responding to the email message, by
entering the information at a bogus website, or by calling a telephone number.

Spear phishing: In a more targeted form of phishing called spear phishing, messages appear
to come from a trusted source, such as an individual within the recipient’s own company or a
friend.

Evil twins: Evil twins are wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet, such as those in airport lounges, hotels, or coffee shops. The
bogus network looks identical to a legitimate public network. Fraudsters try to capture
passwords or credit card numbers of unwitting users who log on to the network.

Pharming: Pharming is a cyber attack that redirects users from legitimate websites to
fraudulent ones without their knowledge. This is often done to steal sensitive information,
such as usernames, passwords, and financial data.
Click Fraud
Click fraud is a type of cybercrime where an individual or automated program (bot)
generates false clicks on online ads to inflate advertising costs. This fraudulent activity can
occur in various forms, primarily in pay-per-click (PPC) advertising models.

Some companies hire third parties (typically from low-wage countries) to click a competitor’s
ads fraudulently to weaken them by driving up their marketing costs. Click fraud can also be
perpetrated with software programs doing the clicking, and botnets are often used for this
purpose.

Global Threats: Cyberterrorism and Cyberwarfare

The global nature of the Internet makes it possible for cybercriminals to operate—and to do
harm—anywhere in the world. Internet vulnerabilities have also turned individuals and even
entire nation-states into easy targets for politically motivated hacking to conduct sabotage and
espionage.
Cyberterrorism refers to politically motivated attacks carried out by individuals or groups to
create fear or disrupt societal functions through cyber means. The primary aim is often to
instill fear, influence government policies, or draw attention to a cause. Typical targets
include government websites, critical infrastructure (like power grids), and large
corporations.

Cyberwarfare is a state-sponsored activity designed to cripple and defeat another state or

nation by penetrating its computers or networks to cause damage and disruption. Targets may
include military systems, government agencies, and critical infrastructure (like energy, water
supply, and transportation systems).

Internal Threats: Employees

We tend to think the security threats to a business originate outside the organization. In fact,
company insiders pose serious security problems. Studies have found that user lack of
8
knowledge is the single greatest cause of network security breaches. Many employees forget
their passwords to access computer systems or allow coworkers to use them, which
compromises the system.

Social engineering is a manipulation technique that exploits human psychology to gain

confidential information, access, or valuables. Instead of using technical hacking methods,
social engineers rely on tricking individuals into divulging sensitive information or
performing actions that compromise security.

Software Vulnerability
Software errors pose a constant threat to information systems, causing untold losses in
productivity and sometimes endangering people who use or depend on systems. Growing
complexity and size of software programs, coupled with demands for rapid delivery to
markets, have contributed to an increase in software flaws or vulnerabilities.

Bugs: A major problem with software is the presence of hidden bugs or program code
defects. Studies have shown that it is virtually impossible to eliminate all bugs from large
programs. The main source of bugs is the complexity of decision-making code.

Zero-day vulnerabilities: Especially troublesome are zero-day vulnerabilities, which are

holes in the software unknown to its creator. Hackers then exploit this security hole before
the vendor becomes aware of the problem and hurries to fix it. This type of vulnerability is
called zero-day because the author of the software has zero days after learning about it to
patch the code before it can be exploited in an attack. Sometimes security researchers spot the
software holes, but more often, they remain undetected until an attack has occurred.

Patches: To correct software flaws once they are identified, the software vendor creates
small pieces of software called patches to repair the flaws without disturbing the proper
operation of the software. It is up to users of the software to track these vulnerabilities, test,
and apply all patches. This process is called patch management.

8- 2 WHAT IS THE BUSINESS VALUE OF SECURITY AND CONTROL?

1. Value of Information Assets
Companies possess valuable information assets, including sensitive data related to individuals
and corporate operations, such as individuals’ taxes, financial assets, medical records, trade
secrets, new product development plans and marketing strategies.
Government systems also store critical information, including military and intelligence data,
making these assets highly valuable and risky if compromised.
2. Impact of Security Breaches
Security breaches, disasters, or technology failures can severely impact a company's financial
health, with some experts estimating that 40% of businesses may not recover from data losses
not addressed within three days.
3. Legal Liabilities from Inadequate Security
Inadequate security can lead to serious legal liabilities, as businesses must protect not only
their own information but also that of customers, employees, and partners.
4. Consequences of Negligence

9
Failure to implement proper security measures can result in costly litigation for data exposure
or theft, making organizations liable for risks and damages due to negligence in protecting
confidential information.
Legal and Regulatory Requirements for Electronic Records Management (Not
important)

Government regulations worldwide are forcing companies to take security and control more
seriously by mandating the protection of data from abuse, exposure, and unauthorized access.
Firms face new legal obligations for the retention and storage of electronic records as well as
for privacy protection.

Example: If you work in the U.S. healthcare industry, your firm will need to comply with the
Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA. If you work
in a firm providing financial services, your firm will need to comply with the Financial
Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act If you
work in a publicly traded company, your company will need to comply with the Public
Company Accounting Reform and Investor Protection Act of 2002, better known as the
Sarbanes-Oxley Act

Electronic Evidence and Computer Forensics

Security, control, and electronic records management have become essential for responding
to legal actions. Much of the evidence today for stock fraud, embezzlement, theft of company
trade secrets, computer crime, and many civil cases is in digital form. In addition to
information from printed or typewritten pages, legal cases today increasingly rely on
evidence represented as digital data stored on portable storage devices, CDs, and computer
hard disk drives as well as in email, instant messages, and e-commerce transactions over the
Internet.

In a legal action, a firm is obligated to respond to a discovery request for access to

information that may be used as evidence, and the company is required by law to produce
those data. The cost of responding to a discovery request can be enormous if the company has
trouble assembling the required data or the data have been corrupted or destroyed. Courts
now impose severe financial and even criminal penalties for improper destruction of
electronic documents.

An effective electronic document retention policy ensures that electronic documents, email,
and other records are well organized, accessible, and neither retained too long nor discarded
too soon. It also reflects an awareness of how to preserve potential evidence for computer
forensics.

1. Importance of Electronic Evidence

Security, control, and electronic records management are crucial for legal actions, as much of
today’s evidence for various crimes and civil cases is in digital form. In addition to
information from printed or typewritten pages, legal cases today increasingly rely on
evidence represented as digital data stored on portable storage devices, CDs, and computer
hard disk drives as well as in email, instant messages, and e-commerce transactions over the
Internet..
2. Legal Obligations for Data Access

10
Companies must respond to discovery requests for information that may serve as evidence,
and failure to produce this data can lead to significant costs, especially if data is corrupted or
destroyed. Courts impose severe penalties for improper destruction of electronic documents.
3. Benefits of a Retention Policy
An effective electronic document retention policy ensures that electronic documents, email,
and other records are well organized, accessible, and neither retained too long nor discarded
too soon. It also reflects an awareness of how to preserve potential evidence for computer
forensics.

Computer forensics and its purpose:

Computer forensics is the scientific collection, examination, authentication, preservation,

and analysis of data held on or retrieved from computer storage media in such a way that the
information can be used as evidence in a court of law.

It deals with the following problems:

• Recovering data from computers while preserving evidential integrity
• Securely storing and handling recovered electronic data
• Finding significant information in a large volume of electronic data
• Presenting the information to a court of law

How forensics experts recover electronic evidence:

Electronic evidence can exist on computer storage media as visible files or ambient data,
which is often not accessible to the average user. For instance, deleted files from a PC hard
drive can frequently be recovered using specialized techniques. Computer forensics experts
focus on retrieving this hidden data to present it as evidence in legal proceedings.

Importance of awareness of computer forensics:

An awareness of computer forensics should be incorporated into a firm’s contingency
planning process. The CIO, security specialists, information systems staff, and corporate
legal counsel should all work together to have a plan in place that can be executed if a legal
need arises.

8-3 WHAT ARE THE COMPONENTS OF AN ORGANIZATIONAL FRAMEWORK

FOR SECURITY AND CONTROL?

Even with the best security tools, your information systems won’t be reliable and secure
unless you know how and where to deploy them. You’ll need to know where your company
is at risk and what controls you must have in place to protect your information systems.
You’ll also need to develop a security policy and plans for keeping your business running if
your information systems aren’t operational.

Information Systems Controls

11
Information systems controls are both manual and automated and consist of general and
application controls.

General controls:

General controls govern the design, security, and use of computer programs and the security
of data files in general throughout the organization’s information technology infrastructure.
On the whole, general controls apply to all computerized applications and consist of a
combination of hardware, software, and manual procedures that create an overall control
environment.

General controls include software controls, physical hardware controls, computer operations
controls, data security controls, controls over the systems development process, and
administrative controls.

TABLE 8. 4 GENERAL CONTROLS:

Software controls: Monitor the use of system software and prevent unauthorized access and
use of software programs, system software, and computer programs.

Hardware controls: Ensure that computer hardware is physically secure and check for
equipment malfunction. Organizations that are critically dependent on their computers also
must make provisions for backup or continued operation to maintain constant service.

Computer operations controls: Oversee the work of the computer department to ensure that
programmed procedures are consistently and correctly applied to the storage and processing
of data. They include controls over the setup of computer processing jobs and backup and
recovery procedures for processing that ends abnormally.

Data security controls: Ensure that valuable business data files maintained internally or by
an external hosting service are not subject to unauthorized access, change, or destruction
while they are in use or in storage.

Implementation controls: Audit the systems development process at various points to

ensure that the process is properly controlled and managed.

Administrative controls: Formalize standards, rules, procedures, and control disciplines to

ensure that the organization’s general and application controls are properly executed and
enforced.

Application controls:

Application controls are specific controls unique to each computerized application, such as
payroll or order processing. They include both automated and manual procedures that ensure
that only authorized data are completely and accurately processed by that application.

Application controls can be classified as (1) input controls, (2) processing controls, and (3)
output controls.

12
Input controls check data for accuracy and completeness when they enter the system. There
are specific input controls for input authorization, data conversion, data editing, and error
handling.

Processing controls establish that data are complete and accurate during updating.

Output controls ensure that the results of computer processing are accurate, complete, and
properly distributed.

Risk Assessment

Before your company commits resources to security and information systems controls, it
must know which assets require protection and the extent to which these assets are
vulnerable. A risk assessment helps answer these questions and determine the most cost-
effective set of controls for protecting assets.
A risk assessment evaluates the potential risks to a firm if specific activities or processes are
inadequately controlled. While not all risks can be predicted or quantified, businesses can
gain insight into the risks they face. Managers, in collaboration with information systems
specialists, should focus on determining the value of information assets, identifying
vulnerabilities, assessing the likelihood of issues, and understanding the potential for damage.

For example, if an event is likely to occur no more than once a year, with a maximum of a
$1000 loss to the organization, it is not wise to spend $20,000 on the design and maintenance
of a control to protect against that event. However, if that same event could occur at least
once a day, with a potential loss of more than $300,000 a year, $100,000 spent on a control
might be entirely appropriate.

Security Policy

After you’ve identified the main risks to your systems, your company will need to develop a
security policy for protecting the company’s assets.

Security policy consists of statements ranking information risks, identifying acceptable

security goals, and identifying the mechanisms for achieving these goals. Management must
estimate how much it will cost to achieve this level of acceptable risk.

The security policy drives other policies determining acceptable use of the firm’s information
resources and which members of the company have access to its information assets. An
acceptable use policy (AUP) defines acceptable uses of the firm’s information resources and
computing equipment, including desktop and laptop computers, mobile devices, telephones,
and the Internet. A good AUP defines unacceptable and acceptable actions for every user and
specifies consequences for noncompliance.

Disaster Recovery Planning and Business Continuity Planning

If you run a business, you need to plan for events, such as power outages, floods,
earthquakes, or terrorist attacks that will prevent your information systems and your business
from operating.

Disaster recovery planning devises plans for the restoration of disrupted computing and
communications services. Disaster recovery plans focus primarily on the technical issues

13
involved in keeping systems up and running, such as which files to back up and the
maintenance of backup computer systems or disaster recovery services.

Business continuity planning focuses on how the company can restore business operations
after a disaster strikes. The business continuity plan identifies critical business processes and
determines action plans for handling mission-critical functions if systems go down.

The Role of Auditing

An information systems audit examines the firm’s overall security environment as well as
controls governing individual information systems. The auditor should trace the flow of
sample transactions through the system and perform tests, using, if appropriate, automated
audit software. The information systems audit may also examine data quality.

Security audits review technologies, procedures, documentation, training, and personnel. A

thorough audit will even simulate an attack or disaster to test the response of the technology,
information systems staff, and business employees. The audit lists and ranks all control
weaknesses and estimates the probability of their occurrence. It then assesses the financial
and organizational impact of each threat.

8-4 WHAT ARE THE MOST IMPORTANT TOOLS AND TECHNOLOGIES FOR
SAFEGUARDING INFORMATION RESOURCES?

Identity Management and Authentication

Identity management software automates the process of keeping track of all these users and
their system privileges, assigning each user a unique digital identity for accessing each
system. It also includes tools for authenticating users, protecting user identities, and
controlling access to system resources.

To gain access to a system, a user must be authorized and authenticated. Authentication

refers to the ability to know that a person is who he or she claims to be. Authentication is
often established by using passwords known only to authorized users. An end user uses a
password to log on to a computer system and may also use passwords for accessing specific
systems and files.

Problem with using password only:

Users often forget passwords, share them, or choose poor passwords that are easy to guess,
which compromises security. Password systems that are too rigorous hinder employee
productivity. When employees must change complex passwords frequently, they often take
shortcuts, such as choosing passwords that are easy to guess or keeping their passwords at
their workstations in plain view. Passwords can also be sniffed if transmitted over a network
or stolen through social engineering.

New authentication technologies, such as tokens, smart cards, and biometric

authentication, overcome some of these problems.

14
A token is a physical device, similar to an identification card, that is designed to prove the
identity of a single user. Tokens are small gadgets that typically fit on key rings and display
passcodes that change frequently.

A smart card is a device about the size of a credit card that contains a chip formatted with
access permission and other data. (Smart cards are also used in electronic payment systems.)
A reader device interprets the data on the smart card and allows or denies access.

Biometric authentication uses systems that read and interpret individual human traits, such
as fingerprints, irises, and voices to grant or deny access. Biometric authentication is based
on the measurement of a physical or behavioral trait that makes each individual unique. It
compares a person’s unique characteristics, such as the fingerprints, face, voice, or retinal
image, against a stored profile of these characteristics to determine any differences between
these characteristics and the stored profile. If the two profiles match, access is granted.

The steady stream of incidents in which hackers have been able to access traditional
passwords highlights the need for more secure means of authentication. Two-factor
authentication increases security by validating users through a multistep process. To be
authenticated, a user must provide two means of identification, one of which is typically a
physical token, such as a smartcard or chip-enabled bank card, and the other of which is
typically data, such as a password or personal identification number (PIN). Biometric data,
such as fingerprints, iris prints, or voice prints, can also be used as one of the authenticating
mechanisms.

FIREWALLS, INTRUSION DETECTION SYSTEMS, AND ANTI-MALWARE

SOFTWARE

Without protection against malware and intruders, connecting to the Internet would be very
dangerous. Firewalls, intrusion detection systems, and antimalware software have become
essential business tools.

FIREWALLS:
Firewalls prevent unauthorized users from accessing private networks. A firewall is a
combination of hardware and software that controls the flow of incoming and outgoing
network traffic. It is generally placed between the organization’s private internal networks
and distrusted external networks, such as the Internet, although firewalls can also be used to
protect one part of a company’s network from the rest of the network (see Figure 8. 5 ).

The firewall acts like a gatekeeper that examines each user’s credentials before it grants
access to a network. The firewall identifies names, IP addresses, applications, and other
characteristics of incoming traffic. It checks this information against the access rules that the
network administrator has programmed into the system. The firewall prevents unauthorized
communication into and out of the network.

There are a number of firewall screening technologies, including static packet filtering,
stateful inspection, Network Address Translation, and application proxy filtering. They are
frequently used in combination to provide firewall protection.

Firewall Screening Technologies

1. Static Packet Filtering:

15
 o This method examines each packet of data against a set of predefined rules. It
checks attributes like source and destination IP addresses, port numbers, and
protocols to determine whether to allow or block the packet. It's fast but does
not track the state of connections, making it less effective against sophisticated
attacks.
2. Stateful Inspection:
o Unlike static packet filtering, stateful inspection keeps track of active
connections and their states. It monitors the entire session and allows packets
that are part of an established connection while blocking those that are not.
This provides better security by understanding the context of the traffic.
3. Network Address Translation (NAT):
o NAT is used to hide internal IP addresses from external networks. It allows
multiple devices on a local network to share a single public IP address. By
translating private IP addresses to a public address, NAT adds a layer of
security and helps prevent direct access to internal devices from the outside.
4. Application Proxy Filtering:
o This technique involves using an intermediary server (proxy) that intercepts
requests between users and the internet. The proxy can inspect and filter traffic
based on application-specific rules, providing enhanced security by preventing
direct connections to external servers and allowing for more detailed content
filtering.
o
INTRUSION DETECTION SYSTEMS:
In addition to firewalls, commercial security vendors now provide intrusion detection tools
and services to protect against suspicious network traffic and attempts to access files and
databases. Intrusion detection systems feature full-time monitoring tools placed at the most
vulnerable points or hot spots of corporate networks to detect and deter intruders continually.
The system generates an alarm if it finds a suspicious or anomalous event. Scanning software
looks for patterns indicative of known methods of computer attacks such as bad passwords,
checks to see whether important files have been removed or modified, and sends warnings of
vandalism or system administration errors.

Anti-malware Software
Defensive technology plans for both individuals and businesses must include anti-malware
protection for every computer. Anti-malware software prevents, detects, and removes
malware, including computer viruses, computer worms, Trojan horses, spyware, and adware.
However, most anti-malware software is effective only against malware already known when
the software was written. To remain effective, the software must be continually updated.
Even then it is not always effective because some malware can evade detection.
Organizations need to use additional malware detection tools for better protection.

Unified Threat Management Systems

To help businesses reduce costs and improve manageability, security vendors have combined
into a single appliance various security tools, including firewalls, virtual private networks,
intrusion detection systems, and web content filtering and anti-spam software. These
comprehensive security management products are called unified threat management

16
(UTM) systems. UTM products are available for all sizes of networks. Leading UTM
vendors include Fortinent, Sophos, and Check Point, and networking vendors such as Cisco
Systems and Juniper Networks provide some UTM capabilities in their products.

Securing Wireless Networks

The initial security standard developed for Wi-Fi, called Wired Equivalent Privacy (WEP), is
not very effective because its encryption keys are relatively easy to crack. WEP provides
some margin of security. Corporations can further improve Wi-Fi security by using it in
conjunction with virtual private network (VPN) technology when accessing internal corporate
data.

In June 2004 WPA2 replaces WEP with stronger security standards. Instead of the static
encryption keys used in WEP, the new standard uses much longer keys that continually
change, making them harder to crack. The most recent specification is WPA3, introduced in
2018.

Virtual Private Network (VPN)

A Virtual Private Network (VPN) is a technology that creates a secure and encrypted
connection over a less secure network, such as the Internet. It allows users to send and
receive data as if their devices were directly connected to a private network, enhancing both
security and privacy.

ENCRYPTION AND PUBLIC KEY INFRASTRUCTURE

Many businesses use encryption to protect digital information that they store, physically
transfer, or send over the Internet. Encryption is the process of transforming plain text or
data into cipher text that cannot be read by anyone other than the sender and the intended
receiver. Data are encrypted by using a secret numerical code, called an encryption key, that
transforms plain data into cipher text. The message must be decrypted by the receiver.

Two methods for encrypting network traffic on the web are SSL and S-HTTP.

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), enable
client and server computers to manage encryption and decryption activities as they
communicate with each other during a secure web session. Secure Hypertext Transfer
Protocol (S-HTTP) is another protocol used for encrypting data flowing over the Internet,
but it is limited to individual messages, whereas SSL and TLS are designed to establish a
secure connection between two computers.

The capability to generate secure sessions is built into Internet client browser software and
servers. The client and the server negotiate what key and what level of security to use. Once a
secure session is established between the client and the server, all messages in that session are
encrypted.

Two methods of encryption are symmetric key encryption and public key encryption.

In symmetric key encryption, the sender and receiver establish a secure Internet session by
creating a single encryption key and sending it to the receiver so both the sender and receiver

17
share the same key. The strength of the encryption key is measured by its bit length. Today, a
typical key will be 56 to 256 bits long (a string of from 56 to 256 binary digits) depending on
the level of security desired. The longer the key, the more difficult it is to break the key. The
downside is that the longer the key, the more computing power it takes for legitimate users to
process the information.

The problem with all symmetric encryption schemes is that the key itself must be shared
somehow among the senders and receivers, which exposes the key to outsiders who might
just be able to intercept and decrypt the key.

A more secure form of encryption called public key encryption uses two keys: one shared
(or public) and one totally private as shown in Figure 8. 6 . The keys are mathematically
related so that data encrypted with one key can be decrypted using only the other key. To
send and receive messages, communicators first create separate pairs of private and public
keys. The public key is kept in a directory, and the private key must be kept secret. The
sender encrypts a message with the recipient’s public key. On receiving the message, the
recipient uses his or her private key to decrypt it.

Digital certificates are data files used to establish the identity of users and electronic assets
for protection of online transactions (see Figure 8. 7 ). A digital certificate system uses a
trusted third party, known as a certificate authority (CA), to validate a user’s identity. There
are many CAs in the United States and around the world, including Symantec, GoDaddy, and
Comodo. The CA verifies a digital certificate user’s identity offline. This information is put
into a CA server, which generates an encrypted digital certificate containing owner
identification information and a copy of the owner’s public key. The certificate authenticates
that the public key belongs to the designated owner.

The digital certificate system would enable, for example, a credit card user and a merchant to
validate that their digital certificates were issued by an authorized and trusted third party
before they exchange data. Public key infrastructure (PKI) , the use of public key
cryptography working with a CA, is now widely used in e-commerce

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a framework that enables secure communication and the
management of digital certificates using public key cryptography. It consists of a
combination of hardware, software, policies, and procedures to create, manage, distribute,
and revoke digital certificates, which are essential for verifying the identity of users, devices,
and services.

SECURING TRANSACTIONS WITH BLOCKCHAIN

Blockchain technology is a decentralized and distributed digital ledger system that securely
records transactions across multiple computers. Each transaction is grouped into a block,
which is then linked to the previous block, forming a chain. This structure ensures that once
data is recorded, it cannot be altered without altering all subsequent blocks, making it highly
resistant to tampering and fraud. Blockchain operates on a consensus mechanism, allowing
participants in the network to agree on the validity of transactions without the need for a
central authority. Its transparency, security, and ability to facilitate trust among parties make

18
it a foundational technology for cryptocurrencies, smart contracts, and various applications
across industries, from finance to supply chain management.

ENSURING SYSTEM AVAILABILITY

As companies increasingly rely on digital networks for revenue and operations, they need to
take additional steps to ensure that their systems and applications are always available. Firms
such as those in the airline and financial services industries with critical applications
requiring online transaction processing have traditionally used fault-tolerant computer
systems for many years to ensure 100 percent availability.

In online transaction processing, transactions entered online are immediately processed by

the computer. Multitudinous changes to databases, reporting, and requests for information
occur each instant.

Fault-tolerant computer systems contain redundant hardware, software, and power supply
components that create an environment that provides continuous, uninterrupted service.
Fault-tolerant computers use special software routines or self-checking logic built into their
circuitry to detect hardware failures and automatically switch to a backup device. Parts from
these computers can be removed and repaired without disruption to the computer or
downtime. Downtime refers to periods of time in which a system is not operational.

Controlling Network Traffic: Deep Packet Inspection

Bandwidth-consuming applications such as file-sharing programs, Internet phone service, and

online video can clog and slow down corporate networks, degrading performance. A
technology called deep packet inspection (DPI) helps solve this problem. DPI examines
data files and sorts out low-priority online material while assigning higher priority to
business-critical files. Based on the priorities established by a network’s operators, it decides
whether a specific data packet can continue to its destination or should be blocked or delayed
while more important traffic proceeds.

Deep Packet Inspection (DPI) is a technology that analyzes the data packets sent over a
network in detail. Unlike standard methods that only check the basic information in a packet,
DPI looks at the content itself, allowing it to identify specific applications and types of data.
This can help in improving network security by spotting threats, managing bandwidth, and
ensuring better performance. However, it also raises privacy concerns since it involves
examining potentially sensitive information.

Security Outsourcing
Security Outsourcing
Many companies, especially small businesses, lack the resources or expertise to provide a
secure high-availability computing environment on their own. They can outsource many
security functions to managed security service providers (MSSPs) that monitor network
activity and perform vulnerability testing and intrusion detection. SecureWorks, AT&T,
Verizon, IBM, Perimeter eSecurity, and Symantec are leading providers of MSSP services.
SECURITY ISSUES FOR CLOUD COMPUTING AND THE MOBILE DIGITAL
PLATFORM

19
Although cloud computing and the emerging mobile digital platform have the potential to
deliver powerful benefits, they pose new challenges to system security and reliability.

Security in the Cloud

When processing takes place in the cloud, accountability and responsibility for protection of
sensitive data still reside with the company owning that data. Understanding how the cloud
computing provider organizes its services and manages the data is critical.

Cloud computing is highly distributed. Cloud applications reside in large remote data centers
and server farms that supply business services and data management for multiple corporate
clients. To save money and keep costs low, cloud computing providers often distribute work
to data centers around the globe where work can be accomplished most efficiently. When you
use the cloud, you may not know precisely where your data are being hosted.

Cloud Security: Key Considerations

 Encryption is essential: Cloud providers should use encryption for both data
transmission and storage to protect against unauthorized access.
 DDoS attacks pose a threat: Companies should be aware of the risk of DDoS attacks
and ensure their cloud provider has measures in place to mitigate them.
 Reliability is crucial: While cloud providers have improved reliability, occasional
outages can still occur.
 Data protection is paramount: Cloud users must confirm that their data is stored
and processed in accordance with their corporate security requirements.
 Jurisdiction matters: Data should be stored and processed in jurisdictions with
appropriate privacy laws.
 Data segregation and encryption: Cloud providers should ensure that data is
segregated from other companies' data and that encryption mechanisms are robust.
 Disaster recovery planning is essential: Cloud users should understand the
provider's disaster recovery plan, including data restoration capabilities and timelines.
 External audits and certifications are valuable: Cloud providers should be subject
to external audits and security certifications to demonstrate their commitment to
security.
 Service level agreements (SLAs) should address security: SLAs should include
specific security requirements and performance guarantees.
 Cloud Security Alliance (CSA) standards provide guidance: The CSA offers
industry-wide standards for cloud security best practices.

Securing Mobile Platforms

Securing Mobile Platforms: Key Considerations

 Mobile devices need robust security: Similar to desktops and laptops, they require
protection against malware, theft, loss, unauthorized access, and hacking.
 Corporate security policies must include mobile devices: Companies should have
specific guidelines for mobile device support, protection, and usage.
 Mobile device management tools are essential: These tools help manage device
inventory, control updates, and remotely lock or erase lost devices.
 Data loss prevention technology is crucial: This technology identifies data
movement and helps prevent unauthorized access and data breaches.
20
  Guidelines for approved platforms and software are necessary: Companies should
define acceptable mobile platforms and applications for corporate use.
 Remote access procedures must be secure: Guidelines should be in place for remote
access to corporate systems, including encryption requirements.
 Unsecured consumer applications should be prohibited: Employees should not use
personal applications for transferring or storing corporate data.
 Encryption is essential: Communication should be encrypted whenever possible to
protect sensitive information.
 Password usage is mandatory: All mobile device users should be required to use
strong passwords.

Ensuring Software Quality

In addition to implementing effective security and controls, organizations can improve

system quality and reliability by employing software metrics and rigorous software testing.

Software metrics are objective assessments of the system in the form of quantified
measurements. Ongoing use of metrics allows the information systems department and end
users to measure the performance of the system jointly and identify problems as they occur.

Early, regular, and thorough testing will contribute significantly to system quality. Many
view testing as a way to prove the correctness of work they have done.

Good testing begins before a software program is even written, by using a walkthrough —a
review of a specification or design document by a small group of people carefully selected
based on the skills needed for the particular objectives being tested.

When developers start writing software programs, coding walkthroughs can also be used to
review program code. However, code must be tested by computer runs. When errors are
discovered, the source is found and eliminated through a process called debugging.

21