1. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 7-1 Benjamin Franklin “Any society that would give up a little liberty to gain a little security will deserve neither and lose both.” Benjamin Franklin Chapter 7 Securing Information Systems Source: http://shop.netstumbler.com/SearchResult.aspx? CategoryID=26

2. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Learning Objectives 7-2 1. Explain what is meant by the term “information systems security” and describe the primary threats to information systems security and how systems are compromised. 2. Describe both technology- and human-based safeguards for information systems. 3. Discuss how to better manage information systems security and explain the process of developing an information systems security plan. 4. Describe how organizations can establish IS controls to better ensure security.

3. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Learning Objectives 7-3 1. Explain what is meant by the term “information systems security” and describe the primary threats to information systems security and how systems are compromised. 2. Describe both technology- and human-based safeguards for information systems. 3. Discuss how to better manage information systems security and explain the process of developing an information systems security plan. 4. Describe how organizations can establish IS controls to better ensure security.

4. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Information Systems Security 7-4 All systems connected to a network are at risk  Internal threats  External threats Information systems security  Precautions to keep IS safe from unauthorized access and use Increased need for good computer security with increased use of the Internet

5. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Primary Threats to Information Systems Security 7-5 Accidents and natural disasters  Power outages, cats walking across keyboards Employees and consultants Links to outside business contacts  Travel between business affiliates Outsiders  Viruses

6. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Unauthorized Access 7-6 Unauthorized people  Look through electronic data  Peek at monitors  Intercept electronic communication Theft of computers or storage media Determined hackers gain administrator status

7. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Information Modification 7-7 User accesses electronic information User changes information  Employee gives himself a raise

8. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Computer Viruses 7-8 Corrupt and destroy data Destructive code can  Erase a hard drive  Seize control of a computer Worms  Variation of a virus  Replicate endlessly across the Internet  Servers crash

9. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Denial of Service Attack 7-9 Attackers prevent legitimate users from accessing services Zombie computers  Created by viruses or worms  Attack Web sites Servers crash under increased load  MyDoom attack on Microsoft’s Web site

10. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Spyware 7-10 Hidden within freeware or shareware, or embedded within Web sites Gathers information about a user  Credit card information  Behavior tracking for marketing purposes Eats up computer’s memory and network bandwidth Adware  Free software paid by advertisements  Sometimes contains spyware  Collects information for banner ad customization

11. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Spam 7-11 Electronic junk mail Advertisements of products and services Eats up storage space Compromises network bandwidth Spim  Spam over IM Spam filters can help Source: Websense Security Labs Quarterly Research Highlights, Q3-Q4 2007.

12. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Phishing 712 Attempts to trick users into giving away credit card numbers Phony messages Duplicates of legitimate Web sites Examples: eBay, PayPal have been used

13. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 CAPTCHA 7-13 Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) Uses images that computers cannot read Combination of techniques is needed to stop spammers

14. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Cookies 7-14 Messages passed to a Web browser from a Web server Used for Web site customization Cookies may contain sensitive information Managing cookies  Cookie killer software  Web browser settings

15. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Other Threats to IS Security 1. Employees writing passwords on paper 2. No installation of antivirus software 3. Use of default network passwords 4. Letting outsiders view monitors 5. Organizations fail to limit access to some files 6. Organizations fail to install firewalls 7. Not doing proper background checks 8. Lack of employee monitoring 9. Fired employees who are resentful 7-15

16. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Learning Objectives 7-16 1. Explain what is meant by the term “information systems security” and describe the primary threats to information systems security and how systems are compromised. 2. Describe both technology- and human-based safeguards for information systems. 3. Discuss how to better manage information systems security and explain the process of developing an information systems security plan. 4. Describe how organizations can establish IS controls to better ensure security.

17. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Safeguarding Information Systems Resources 7-17 Information systems audits  Risk analysis  Process of assessing the value of protected assets Cost of loss vs. cost of protection  Risk reduction Measures taken to protect the system  Risk acceptance Measures taken to absorb the damages  Risk transfer Transferring the absorption of risk to a third party

18. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Technological Safeguards 718 Physical access restrictions Firewalls Encryption Virus Monitoring and prevention Audit-control software Dedicated facilities

19. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Technological Safeguards 719 Physical access restrictions  Authentication  Use of passwords  Photo ID cards, smart cards  Keys to unlock a computer  Combination Authentication dependent on  Something you have  Something you know  Something you are

20. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Biometrics 7-20 Form of authentication  Fingerprints  Retinal patterns  Body weight  Etc. Fast authentication High security

21. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Access-Control Software 7-21 Access only to files required for work Restriction of access level  Read only, modify, delete Certain time periods for allowed access Business systems applications  Built-in access control capabilities

22. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Wireless LAN Control 7-22 Wireless LAN cheap and easy to install Use on the rise Signal transmitted through the air  Susceptible to being intercepted  Drive-by hacking

23. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Virtual Private Networks 7-23 Connection constructed dynamically within an existing network Tunneling  Send private data over public network  Encrypted information

24. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Firewalls 7-24 System designed to detect intrusion and prevent unauthorized access Implementation  Hardware, software, mixed Approaches  Packet filter – each packet examined  Application-level control – security measures only for certain applications  Circuit-level control – based on certain type of connection  Proxy server – firewall acts as the server and intercepts all messages; Network Address Translation (NAT)

25. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Firewall Architecture 7-25 Basic software firewall for a home network Firewall router  Home office  Small office

26. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Firewall Architecture (cont’d) 7-26 Larger Organizations

27. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Encryption 7-27 Message encoded before sending Message decoded when received Encryption allows for  Authentication—proving one’s identity  Privacy/confidentiality—only intended recipient can read a message  Integrity—assurance of unaltered message  Nonrepudiation—use of digital signature to prove that a message did originate from the claimed sender

28. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 The Encryption Process 728 Key—code that scrambles the message  Symmetric secret key system  Sender and recipient use the same key  Cons: Management problems  Public key technology  Asymmetric key system  Each individual has a pair of keys Public key—freely distributed Private key—kept secret

29. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 How Encryption Works (Asymmetric) 7-29

30. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Encryption for Web Sites 7-30 Certificate Authority  Third party—trusted middleman  Verifies trustworthiness of a Web site  Checks for identity of a computer  Provides public keys Secure Sockets Layer (SSL)  Developed by Netscape  Popular public-key encryption method

31. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Other Encryption Approaches 7-31 1976—Public/private key 1977—RSA  Technology licensed to Lotus and Microsoft  Federal law prohibited exporting encryption technology  Limited use by organizations 1991—Pretty good privacy  Versatile encryption program  Global favorite 1993—Clipper chip  Chip generating uncrackable codes  Scrapped before it became reality

32. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 The Evolution of Encryption 7-32 Future encryption programs will provide  Strong security  High speed  Usability on any platform  Encryption for cellular phones  Encryption for PDAs

33. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Virus Monitoring and Prevention 7-33 Virus prevention  Purchase and install antivirus software  Update frequently  Do not download data from unknown sources  Flash drives, disks, Web sites  Delete (without opening) e-mails from unknown sources  Do not blindly open email attachments  Even if they come from a known source  Report any viruses to the IT department

34. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Audit-Control Software 7-34 Keeps track of computer activity Spots suspicious action Audit trail  Record of users  Record of activities IT department needs to monitor this activity

35. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Facilities 7-35 Specialized facilities are important Technical Requirements  Power  Cooling How do organizations reliably protect themselves from threats?

36. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Ensuring Availability 7-36 High-availability facilities  To ensure uninterrupted service  Self-sufficient  Backup cooling systems  Raised floors (to more easily reconfigure systems)  Built to withstand storms Collocation facilities

37. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Securing the Facilities Infrastructure 7-37 Backups  Secondary storage devices  Regular intervals Backup sites  Cold backup site  Hot backup site Redundant data centers  Different geographic areas Closed-circuit television (CCTV)  Monitoring for physical intruders  Video cameras display and record all activity  Digital video recording Uninterruptible power supply (UPS)  Protection against power surges

38. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Human Safeguards 7-38 Use of federal and state laws as well as ethics

39. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Learning Objectives 7-39 1. Explain what is meant by the term “information systems security” and describe the primary threats to information systems security and how systems are compromised. 2. Describe both technology- and human-based safeguards for information systems. 3. Discuss how to better manage information systems security and explain the process of developing an information systems security plan. 4. Describe how organizations can establish IS controls to better ensure security.

40. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Managing Information Systems Security 7-40 Non-technical safeguards  Management of people’s use of IS  Acceptable use policies  Trustworthy employees  Well-treated employees

41. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Developing an Information Systems Security Plan 7-41 Ongoing five-step process 1. Risk analysis a.Determine value of electronic information b.Assess threats to confidentiality, integrity, and availability of information c.Identify most vulnerable computer operations d.Assess current security policies e.Recommend changes to existing practices to improve computer security

42. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Security Plan: Step 2 7-42 2. Policies and procedures— actions to be taken if security is breached a.Information Policy— handling of sensitive information b.Security Policy— technical controls on organizational computers c.Use Policy— appropriate use of in-house IS d.Backup Policy e.Account Management Policy— procedures for adding new users and removing user accounts f.Incident Handling Procedures— handling security breach g.Disaster Recovery Plan— restoration of computer operations

43. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Security Plan: Remaining Steps 7-43 3. Implementation a.Implementation of network security hardware and software b.IDs and smart cards dissemination c.Responsibilities of the IS department 4. Training—organization’s personnel 5. Auditing a.Assessment of policy adherence b.Penetration tests

44. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Designing the Recovery Plan 7-44 Two types of objectives  Recovery time objectives  Maximum time allowed to recover  Recovery point objectives  How current should the backup material be?

45. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Responding to a Security Breach 7-45 Restore lost data Perform new risk audit Implement additional safeguards Contact law enforcement

46. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 The State of Systems Security Management 7-46 Financial losses of cybercrime are decreasing  Financial fraud attacks result in the greatest financial losses  Only about 29% of organizations utilize cyberinsurance  Only about 29% of organizations report intrusions to the law enforcement  Fear of falling stock prices  Most organizations do not outsource security activities  Nearly all organizations conduct routine security audits  Most organizations agree security training is important  Majority said they do not do enough training

47. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Use of Security Technologies 7-47 CSI/FBI computer crime and security survey respondents (2007)

48. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Learning Objectives 7-48 1. Explain what is meant by the term “information systems security” and describe the primary threats to information systems security and how systems are compromised. 2. Describe both technology- and human-based safeguards for information systems. 3. Discuss how to better manage information systems security and explain the process of developing an information systems security plan. 4. Describe how organizations can establish IS controls to better ensure security.

49. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 IS Controls, Auditing, and Sarbanes-Oxley Act 7-49 Information Systems controls  Specific IT processes designed to ensure reliability of information  Controls should be a combination of three types of controls:  Preventive controls  Detective controls  Corrective controls

50. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Hierarchy of IS Controls 7-50

51. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Types of IS Controls 7-51 Policies  Define aim and objectives Standards  Supports the requirements of policies Organization and management  Define the lines of reporting Physical and environmental controls  Protect the organization’s IS assets

52. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Types of IS Controls (cont’d) 7-52 Systems software controls  Enable applications and users to utilize the systems Systems development and acquisition controls  Ensure systems meet the organization’s needs Application-based controls  Ensures correct input, processing, storage, and output of data; maintain record of data as it moves through the system

53. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 IS Auditing 7-53 Information Systems audit  Performed by external auditors to help organizations assess the state of their IS controls  To determine necessary changes  To assure the IS availability, confidentiality, and integrity Risk assessment  Determine what type of risks the IS infrastructure faces Computer-Assisted Auditing Tools (CAAT)  Specific software to test applications and data, using test data or simulations

54. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 The Sarbanes-Oxley Act 7-54 Formed as a reaction to large-scale accounting scandals  WorldCom, Enron Primarily addresses the accounting side of organizations Companies have to demonstrate that  controls are in place to prevent misuse and fraud  controls are in place to detect potential problems  measures are in place to correct problems COBIT (Control Objectives for Information and Related Technology)  Set of best practices  Help organizations to maximize the benefits from their IS infrastructure  Establish appropriate controls

55. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 End of Chapter Content 7-55

56. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Opening Case— Managing in the Digital World: Drive-by Hacking 7-56 60–80% of corporate wireless networks do not use security “ War driving”—a new hacker tactic “ War spamming”  Attackers link to an e-mail server and send out millions of spam messages Businesses fight back using bogus access points Network scanners distinguish between real and fake APs Fast Packet Keying—to fix shortcomings of Wired Equivalent Privacy (WEP) Source: http://shop.netstumbler.com/SearchResult.aspx? CategoryID=26

57. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Backhoe Cyberthreat 7-57 Telecommunications infrastructure is vulnerable  Damage to telephone lines, fiber-optic cables, water lines, gas pipelines  675,000 incidents in 1 year  Underwater cables frequently cut by accident  Cable cuts happen on average once every three days  Infrastructure information publicly available  Most of Internet communication goes through cables buried along major highways and railroads  Only two major routes across United States for Internet traffic

58. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Adware/Spyware Lurks on Most PCs 7-58 Webroot  Producer of software to scan and eliminate spyware Webroot company data  66 percent of scanned PCs infected with at least 25 spyware programs  Incidents of spyware slightly decreasing

59. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Hacking an Airplane 7-59 Aircraft use more and more information technologies  For example, Boeing’s 787 Dreamliner has various onboard networks  Network for providing in-flight Internet access is connected to control, navigation, and communication systems Passengers could possibly access flight controls IT experts urge Boeing to separate flight controls and passenger systems “This is serious.”

60. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Stealing Wi-Fi 7-60 “Piggy-backing” on unprotected Wi-Fi signals is a common practice. 54% of Internet users have used someone else’s signal. In the United States and the United Kingdom this is illegal  1986 Computer Fraud and Abuse Act  Several arrests for using others’ Wi-Fi Unless you’re invited to use someone’s Wi-Fi network, using it is probably not a good idea

61. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 The Disruptive Duo Niklas Zennström and Janus Friis 7-61 Started peer-to-peer service KaZaa  Frequently used for illegal file sharing  Criticized for containing spyware  Sold it in 2001 Created Skype in 2003  Peer-to-peer internet calling  Sold to eBay for $3 billion in 2008 Started Joost in 2007  Online television station  353 channels  17,000 programs Which industry will they disrupt next?

62. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Recharging Gadgets Wirelessly 7-62 Current devices such as cell phone, iPod, and digital camera suffer from lack of long battery life. WildCharge now offers a wireless charger  Size of a piece of paper  Device just has to be placed in the sheet to charge it

63. IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/26/2015 Banking Industry 7-63 In the past—highly regulated industry  Banks limited to certain locations and services  Efforts to make banks safer  Regulations prevented banks from competition 1970 to present—many regulations eliminated  Acquisitions, consolidations, and integration across state lines  Better customer service at lower prices  Benefits to overall economy Internet era  Customers assess banks based on online banking services