Module 2: Information Technology Infrastructure Chapter 7: Information Systems Security
Learning Objectives Identify the reasons for Information Systems’ vulnerabilities Discuss the reasons for security for business Discuss the different types of threats Identify the components of an organizational framework for security and control Discuss the various tools and technologies for safeguarding IS
Security and Control Security Control Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft or physical damage to Information Systems Control Methods, policies, and organizational procedures that ensure that safety of the organizational assets; the accuracy and reliability or records; operational adherence to management standards
Why Systems are Vulnerable? Data stored in electronic form is vulnerable In communication network, breach can occur at any access point Steal data, alter messages Intruders with DoS attacks disrupts Web sites operations Hardware breakdowns Bad configuring, improper installation, or unauthorized changes Offshore partnering also adds to system vulnerability Portability makes cell phones, smart phones, tablets to be easily stolen Apps for mobile phones can be used to malicious purposes
Internet and Wireless Security Challenges Internet more vulnerable than internal networks Widespread impact of attack Always-on connection have fixed address becomes fixed target Also most VoIP transmission is not encrypted, so susceptible to interception Vulnerability also increases because of e-mails, IMs and peer-to-peer(P2P) file sharing
Wireless Security Challenges Wireless communication is vulnerable because radio frequency bands are easier to scan (eavesdropping) Hackers use wireless cards, external antenna and hacking software to intrude into WLANs Sniffer programs OS have the ability to identify the SSID of the network, and configures the NIC accordingly Wired Equivalent Privacy (WEP) Security standard Allows access point users to share a 40-bit encrypted password Stronger encryption: WPA2
Malicious Software (Malware) Virus Malicious software program that attaches itself to another program or file to be executed Mostly they deliver a ‘payload’, (just a message or destroys data) Spread from computer to computer, triggered by human actions Worm Copy themselves from computer to computer through network Destroy data and halt operations of computer network Usually come through downloaded programs, e-mail attachments Malware target mobile devices too, thus being a serious threat to enterprise computing
Malicious Software Trojan Horse SQL injection attacks Spyware Looks like a legitimate program Does not replicate itself, but creates way for virus and other malicious code Based on the Greek Trojan war SQL injection attacks Malware that takes advantage of vulnerabilities in poorly coded web application software Enter data into online form to check for vulnerability to a SQL injection Spyware Small programs that temporarily install themselves on the computer to monitor web surfing for advertising, but they also act as malware, affecting the computer performance
Hacking and Computer Crime Accessing a computer system unauthorized Usually “cracker” is an individual with criminal intent Find weaknesses in the security features of web sites or computer systems CyberVandalism Intentional disruption, defacement of web site or corporate information Spoofing Hackers hide themselves behind fake ids Also involves redirecting a Web link to a fake ones that looks like the original site
Hacking and Computer Crime Sniffing Eavesdropping program that monitors information traveling over a network They have a legitimate use as well, but otherwise can be very lethal DoS Attack Hackers flood a network server or web server will many requests for services to crash the network For e-commerce sites, these attacks can be costly
Hacking and Computer Crime “Any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation or prosecution” Computers as targets of crime Computer as instruments of crime Breaching the confidentiality of protected computerized data Accessing a computer without authority Accessing a protected computer to commit fraud Accessing a protected computer to cause damage Transmitting a program that intentionally causes damage Threatening to cause damage to protected computer Theft of trade secrets Unauthorized copying of software or copyrighted intellectual property Schemes to defraud Using e-mail for threats and harassment Intentionally attempting to intercept electronic communication Illegally accessing stored electronic documents
Hacking and Computer Crime Identity Theft Crime in which an imposter obtains key pieces of key personal information to impersonate someone else, eg. Credit card theft Phishing Setting up fake web sites or sending fake e-mails that look legitimate to ask users for personal data Pharming Redirects users to fake web page even when they have entered the correct web address Happens when ISP companies have flawed software Cyberterrorism Cyber attacks that target software that run electric power grids, air traffic control, or bank networks (on large scale)
Business Value of Security and Control Usually businesses don’t put much effort in security However, security and control is critical to businesses They lose 2.1% of market value if security breach happens Valuable and confidential info needs protection Inadequacy can lead to Legal liability Data exposure Implementation Advantages High return on investment Employee productivity Lower operational costs
Electronic Evidence and Computer Forensics Nowadays, legal cases rely on digital data stored on storage media along with e-mail and e-commerce transactions Effective electronic document policy Records organized, discarded not too soon Computer Forensics scientific collection, examination, authentication, preservation and analysis of data retrieved from storage media Used for court evidence Also includes ambient data Firm’s contingency planning process should have awareness of this
Case Study: When Antivirus software cripples your computers Company: McAfee – prominent antivirus software Product: AntiVirus Plus Problem: released an update that caused the computers to crash and failed to reboot Lost network capability Couldn’t detect USB drives Usually Windows XP service pack 3, McAfee VirusScan version 8.7 Conducted investigation to figure out ‘why’ was the mistake made and ‘who’ got affected
Case Study: When Antivirus software cripples your computers Result Users did not receive a warning that svchost.exe was going to be quarantined Quality assurance failed to detect the critical error Testing was not conducted on the mentioned operating system Created a “SuperDAT Remediation tool” to fix the problem
Case Study: When Antivirus software cripples your computers Management factors Did not apply proper quality assurance procedures Organizational factors Had recently changed their QA environment Technology factors The users did not receive a warning that a critical file will be quarantined Business Impact Damage an antivirus company’s reputation because people blindly trust such companies Customer’s businesses became non-functional and had to shut down until computers were fixed