SECURING INFORMATION

SYSTEMS
 Management Information Systems
Learning objectives

Discuss the primary goals of information security.

 Evaluate the main types of risks to information systems.
 Describe the various types of attacks on networked
systems.
 Discuss the types of controls required to ensure the
integrity of data entry and processing and uninterrupted
e-commerce.
 Describe the various kinds of security measures that can
be implemented to protect data and ISs.

2 © Prentice Hall 2011

 Management Information Systems
Computer controls and security
The role of computer controls and security is to protect systems
against accidental mishaps and intentional theft and corruption of
data and applications. They also help organizations ensure that their
IT operations comply with the law and with expectations of
employees and customers for privacy.
The major goals of information security are to:
• Reduce the risk of systems and organizations ceasing operations.
• Maintain information confidentiality.
• Ensure the integrity and reliability of data resources.
• Ensure the uninterrupted availability of data resources and online
operations.
• Ensure compliance with policies and laws regarding security and
privacy.

3 © Prentice Hall 2011

 Management Information Systems
Computer controls and security

Security:
Policies, procedures and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to
information systems
Controls:
Methods, policies, and organizational procedures that ensure safety
of organization’s assets; accuracy and reliability of its accounting
records; and operational adherence to management standards
Access controls are necessary to protect the confidentiality, integrity
and availability of objects. The term access control is used to
describe a broad range of controls, from forcing a user to provide a
valid username and a Password to log on to preventing users from
gaining access to a resource outside of their sphere of access.

4 © Prentice Hall 2011

 Management Information Systems
Access controls

Access controls can be divided into the following three categories:

Preventative access control
A preventative access control is deployed to stop unwanted or unauthorized activity from
occurring. Examples of preventative access controls include fences, security policies,
security awareness training, and antivirus software.
Detective access control
A detective access control is deployed to discover unwanted or unauthorized activity.
Examples of detective access controls include security guards, supervising users, incident
investigations, and intrusion detection systems.
Corrective access control
A corrective access control is deployed to restore systems to normal after an unwanted or
unauthorized activity has occurred. Examples of corrective access controls include alarms,
mantraps, and security policies.
The implementation of an access control can be categorized as administrative,
logical/technical, or physical.

5 © Prentice Hall 2011

 Management Information Systems

Access controls

Administrative access controls

Administrative access controls are the policies and procedures defined by an organization’s
security policy. To implement and enforce overall access control. Examples of administrative
access controls include policies, procedures, hiring practices, background checks, data
classification, security training, vacation history, reviews, work supervision, personnel
controls, and testing.
Logical/technical access controls
Logical access controls and technical access controls are the hardware or software
mechanisms used to manage access to resources and systems and provide protection for
those resources and systems. Examples of logical or technical access controls include
encryption, smart cards, passwords, biometrics, constrained interfaces, access control lists
(ACLs),protocols, firewalls, routers, intrusion detection systems, and clipping levels.
Physical access controls
Physical access controls are the physical barriers deployed to prevent direct contact with
systems. Examples of physical access controls include guards, fences, motion detectors,
locked doors, sealed windows, lights, cable protection, laptop locks, swipe cards, dogs,
video cameras, mantraps, and alarms.

6 © Prentice Hall 2011

 Management Information Systems
Security principles

The essential security principles of confidentiality, integrity, and availability

are often referred to as the CIA Triad. All security controls must address
these principles. Each domain addresses these principles in unique ways, so
it is important to understand them both in general terms and within each
specific domain:
Confidentiality is the principle that objects are not disclosed to
unauthorized subjects.
Integrity is the principle that objects retain their veracity and are only
intentionally modified by authorized subjects.
Availability is the principle that authorized subjects are granted timely
and uninterrupted access to objects.
Different security mechanisms address these three principles in different
ways and offer varying degrees of support or application of these principles.

7 © Prentice Hall 2011

 Management Information Systems

Passwords

Passwords
The most commonly used authentication technique is the use of passwords, but they are also
considered to be the weakest form of protection. Passwords are poor security mechanisms for
several reasons, including the following:
Users typically choose passwords that are easy to remember, and therefore easy to guess or crack.
Randomly generated passwords are hard to remember, thus many users write them down.
Passwords are easily shared, written down, and forgotten.
Passwords can be stolen through many means, including observation, recording and playback, and
security database theft.
Passwords are often transmitted in clear text or with easily broken encryption protocols.
Password databases are often stored in publicly accessible online locations.
Short passwords can be discovered quickly in brute force attacks
Dynamic passwords change after a specified interval of time or use. One-time passwords or single-
use passwords are a variant of dynamic passwords that are changed every time they are used.

8 © Prentice Hall 2011

 Management Information Systems

System Vulnerability and Abuse

CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES

FIGURE 8-1 The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of
these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at
any point in the network.

9 © Prentice Hall 2011

 Management Information Systems
System Vulnerability and Abuse

WI-FI SECURITY
CHALLENGES
Many Wi-Fi networks can be
penetrated easily by intruders
using sniffer programs to
obtain an address to access
the resources of a network
without authorization.

10 © Prentice Hall 2011

 Management Information Systems

Security challenges

When a malicious user or attacker seeks to obtain passwords, there are several methods
they can employ, including network traffic analysis, password file access, brute force
attacks, dictionary attacks, and social engineering.
Network traffic analysis is the process of capturing network traffic (also known as sniffing)
when a user is entering a password for authentication. Once the password is discovered,
the attacker attempts to replay the packet containing the password against the network to
gain access. If an attacker can gain access to the password database file, it can be copied
and a password cracking tool used against it to extract usernames and passwords.
Brute force and dictionary attacks are types of password attacks that can be waged against
a stolen password database file or a system’s logon prompt.
In a dictionary attack, the attacker uses a script of common passwords and dictionary
words to attempt to discover an account’s password. In a brute force attack, a systematic
trial of all possible character combinations is used to discover an account’s password.
 A social engineering attack is an attempt by an attacker to obtain logon capabilities
through deceiving a user, usually over the telephone, into performing specific actions on
the system, such as changing the password of an executive who’s on the road or creating a
user account for a new fictitious employee.

11 © Prentice Hall 2011

 Management Information Systems
System Vulnerability and Abuse

Malware (malicious software)

Viruses
 Roguesoftware program that attaches itself to other
software programs or data files in order to be executed
Worms
 Independentcomputer programs that copy themselves
from one computer to other computers over a network.
Trojan horses
 Software
program that appears to be benign but then
does something other than expected.

12 © Prentice Hall 2011

 Management Information Systems
System Vulnerability and Abuse

Malware (cont.)
SQL injection attacks
 Hackerssubmit data to Web forms that exploits site’s
unprotected software and sends rogue SQL query to
database
Spyware
 Smallprograms install themselves surreptitiously on
computers to monitor user Web surfing activity and serve
up advertising
Key loggers
 Recordevery keystroke on computer to steal serial
numbers, passwords, launch Internet attacks

13 © Prentice Hall 2011

 Management Information Systems
System Vulnerability and Abuse

Hackers and computer crime

Hackers vs. crackers
Activities include
System intrusion
System damage
Cybervandalism
Intentionaldisruption, defacement, destruction
of Web site or corporate information system

14 © Prentice Hall 2011

Risks to Hardware
#1 cause of system downtime is hardware failure
Major causes of damage to hardware include:
Natural disasters
 Fires, floods, earthquakes, hurricanes, tornadoes, and lightning
Blackouts and brownouts
 Blackout: total loss of electricity
 Brownout: partial loss of electricity
 Uninterruptible power supply (UPS): backup power

Vandalism
 Deliberate destruction

15
Risks to Data and Applications
Data should be a primary concern because it is often a
unique resource
Data and applications are susceptible to disruption,
damage, and theft
The culprit in damage to software or data is almost
always human
Keystroke logging: records individual keystrokes
Social engineering: con artists pretend to be service
people, and ask for passwords
Identity theft: pretending to be another person

16
Risks to Data and Applications (continued)
Risks to data include:
Alteration
Destruction
Web defacement
Deliberate alteration or destruction is often done as a
prank, but has a high cost
The target may be a company’s Web site

17
Risks to Data and Applications (continued)
Virus: spreads from computer to computer
Worm: spreads in a network without human
intervention
Antivirus software: protects against viruses
Trojan horse: a virus disguised as legitimate software

18
Risks to Data and Applications (continued)
Logic bomb: software that is programmed to cause
damage at a specific time
Unintentional, nonmalicious damage can be caused
by:
Human error
Lack of adherence to backup procedures
Poor training
Unauthorized downloading and installation of software
may cause damage

19
Risks to Online Operations
Many hackers try daily to interrupt online businesses
Types of attacks include:
Unauthorized access
Data theft
Defacing of Web pages
Denial of service
Hijacking

20
Denial of Service
Denial of service (DoS): an attacker launches a large
number of information requests
Slows down legitimate traffic to site
Distributed denial of service (DDoS): an attacker
launches a DoS attack from multiple computers
Usually launched from hijacked personal computers
called “zombies”
No definitive cure for this
A site can filter illegitimate traffic

21
Computer Hijacking
Hijacking: using some or all of a computer’s resources
without the consent of its owner
Often done for making a DDoS attack
Done by installing a software bot on the computer
Main purpose of hijacking is usually to send spam
Bots are planted by exploiting security holes in
operating systems and communications software
A bot usually installs e-mail forwarding software

22
Controls
Controls are constraints and other restrictions imposed on a
user or a system, and they can be used to secure systems
against the risks just discussed or to reduce damage caused to
systems, applications, and data. Controls are implemented
not only for access but also to implement policies and ensure
that nonsensical data is not entered into corporate databases.
Controls: constraints and restrictions imposed on a user or a
system
 Controls can be used to secure against risks
 Controls are also used to ensure that nonsensical data is not entered
Controls can reduce damage caused to systems, application, and
data

23
Controls (continued)

24
Application Reliability
and Data Entry Controls
A reliable application is one that can resist
inappropriate usage such as incorrect data entry or
processing
The application should provide clear messages when
errors or deliberate misuses occur
Controls also translate business policies into system
features

25
Backup
Backup: periodic duplication of all data
Redundant Arrays of Independent Disks
(RAID): set of disks programmed to replicate
stored data
Data must be routinely transported off-site as
protection from a site disaster
Some companies specialize in data backup services
or backup facilities for use in the event of a site
disaster

26
Access Controls
Access controls: measures taken to ensure only authorized users have access
to a computer, network, application, or data
Physical locks: lock the equipment in a secure facility
Software locks: determine who is authorized
Three types of access controls:
Experts like to classify access controls into three groups: what you know, what
you have, and who you are. “What you know” includes access codes such as user
IDs, account numbers, and passwords. “What you have” is some kind of a
device, such as a security card, which you use directly or which continuously
changes coordinated access codes and displays them for you. “Who you are”
includes your unique physical characteristics.

What you know: access codes, such as user ID and password

What you have: requires special devices
Who you are: unique physical characteristics

27
Access Controls (continued)
Access codes and passwords are usually stored in the
OS or in a database
Security card is more secure than a password
Allows two-factor access
Biometric: uses unique physical characteristics such
as fingerprints, retinal scans, or voiceprints
Up to 50% of help desk calls are from people who have
forgotten their passwords
Biometrics can eliminate these kinds of calls

28
Atomic Transactions
Atomic transaction: a set of indivisible transactions
All of the transactions in the set must be completely
executed, or none can be
Ensures that only full entry occurs in all the appropriate
files to guarantee integrity of the data
Is also a control against malfunction and fraud

29
Atomic Transactions (continued)

30
Audit Trail
Audit trail: a series of documented facts that help
detect who recorded which transactions, at what time,
and under whose approval
Sometimes automatically created using data and
timestamps
Certain policy and audit trail controls are required in
some countries
Information systems auditor: a person whose job is
to find and investigate fraudulent cases

31
Security Measures
Organizations can protect against attacks using
various approaches, including:
Firewalls
Authentication
Encryption
Digital signatures
Digital certificates

32
Firewalls and Proxy Servers
Firewall: the best defense against unauthorized access over the
Internet
Consists of hardware and software that blocks access to computing
resources
Firewalls are now routinely integrated into routers
DMZ: demilitarized zone approach
One end of the network is connected to the trusted network, and the
other end to the Internet
Proxy server: represents another server
Employs a firewall, and is usually placed between the Internet and
the trusted network. When a business hires the services of an ISP, the
proxy server is often the one operated by the ISP.

33
Authentication and Encryption
Authentication: the process of ensuring that you are
who you say you are
Encryption: coding a message into an unreadable
form
Messages are encrypted and authenticated to ensure
security
A message may be text, image, sound, or other digital
information

34
Authentication and Encryption (continued)

35
Authentication and Encryption (continued)
Encryption programs scramble the transmitted
information
Plaintext: the original message
Ciphertext: the encoded message
Encryption uses a mathematical algorithm and a key
Key: a unique combination of bits that will decipher
the ciphertext
Public-key encryption: uses two keys, one public
and one private

36
37
Digital Signatures
A digital signature is away to authenticate online
messages, analogous to a physical signature on a piece of
paper, but implemented with public-key cryptography.
The digital signature authenticates the identity of the
sender of a message and also guarantees that no one has
altered the sent document; it is as if the message were
carried in an electronically sealed envelope.
The Downside of Security Measures
Single sign-on (SSO): a user must enter his or her
name/password only once
Single sign-on saves employees time
Encryption slows down communication
Every message must be encrypted and then decrypted
IT specialists must clearly explain the implications of
security measures to upper management

39
Recovery Measures
Security measures may reduce mishaps, but no one
can control all disasters.
Preparation for uncontrolled disasters requires that
recovery measures are in place.

40
The

Business Recovery Plan
Business recovery plan: A plan about how to recover
from a disaster
Also called disaster recovery plan, business resumption
plan, or business continuity plan
Nine steps to develop a business recovery plan:
1. Obtain management’s commitment to the plan
2. Establish a planning committee
3. Perform risk assessment and impact analysis
4. Prioritize recovery needs
 Mission-critical applications: those without which the
business cannot conduct operations

41
The Business Recovery Plan (continued)
Nine steps to develop a business recovery plan
(continued):
5. Select a recovery plan
6. Select vendors
7. Develop and implement the plan
8. Test the plan
9. Continually test and evaluate
The plan should include key personnel and their
responsibilities

42
Recovery Planning and Hot Site Providers
Can outsource recovery plans to firms that specialize
in disaster recover planning
Hot sites: alternative sites that a business can use
when a disaster occurs
Backup sites provide desks, computer systems, and
Internet links

43
The Economics of Information Security
Security measures should be regarded as analogous to
insurance
Spending for security measures should be
proportional to the potential damage
A business must assess the minimum acceptable rate
of system downtime and ensure that the company can
financially sustain the downtime

44
How Much Security is Enough Security?
Two costs should be considered:
Cost of the potential damage
Cost of implementing a preventative measure
As the cost of security measures increases, the cost of
potential damage decreases
Companies try to find the optimal point
The company must define what needs to be protected
Security measures should never exceed the value of
protected system

45
Summary
The purpose of controls and security measures is to
maintain the functionality of ISs
Risks to ISs include risks to hardware, data, and
networks, and natural disaster and vandalism
Risks to data and applications include theft of
information, identity theft, data alteration, data
destruction, defacement of Web sites, viruses,
worms, logic bombs, and non malicious mishaps
Risks to online systems include denial of service and
hijacking

46
Summary (continued)
Controls are used to minimize disruption
Access controls require information to be entered
before resources are made available
Atomic transactions ensure data integrity
Firewalls protect against Internet attacks
Encryption schemes scramble messages to protect
them on the Internet
A key is used to encrypt and decrypt messages

47
Summary (continued)
Keys and digital certificates can be purchased from a
certificate authority
Many organizations have business recovery plans,
which may be outsourced
Careful evaluation of the amount spent on security
measures is necessary
Redundancy reduces the probability of downtime
Governments are obliged to protect citizens against
crime and terrorism

48