Vous êtes sur la page 1sur 14

ICT for Strategic Advantage

TOPIC SEVEN SECURITY, SYSTEM CONTROL, AND AUDIT


At the end of this Topic you will be able to:
Define computer security and explain why employees are an integral part of achieving a
secure environment.
Describe reasons for computer security breaches
Understand the range of security violations
Describe Disaster Recovery Plan DRP!
Understand the steps in developing a DRP
"hat is a computer virus and how can their transmission be prevented#
Understand the need for control and different categories of control
Understand computer audit$ audit trails and categories of %omputer Aided Audit Trails
%AAT!
Describe the techni&ues for controlling '(
Understand control of security ris)s of 'nternet access
COMPUTER SECURITY
%omputer security is the process of protecting and safeguarding hardware$ software$
networ)s$ physical facilities$ data$ and personnel from accidental$ intentional$ or natural
disasters. 't includes activities such as accidental input or output errors$ theft$ brea)*ins$
physical damage$ and illegal access and manipulation. (ecurity is a seven*day. +,*hour
operation and this business function can never afford to go on vacation. %omputer security is
a complex$ pervasive problem. 'n large part this is because the range of security violations is
so vast and so costly. Ris)s from 'T malfunctioning now ran) with earth&ua)es and
hurricanes in potential economic losses$ and if one contemplates various failure scenarios
such as a global 'nternet*borne software plague or deliberate acts of information terrorism$
the financial damage estimates are similar to those from a nuclear power plant accident.
Table -$ provides a sample of range of security violations.
SECURITY VIOLATIONS
%ompany data theft by employees
.aining access to information stored on computer
networ)s by crac)ing passwords
'ndustrial espionage by criminals eavesdropping on
wireless communications or on /A0s and 'nternet
connections
Deliberate$ unauthori1ed modification of software
Theft of employees2 identities to ma)e outrageous or
illegal statements on the 'nternet
(tarting or fueling rumors on the 'nternet that are
designed to harm the company
Denial of service attac)s in which people call a toll*free
number or send an e*mail but the number stays
perpetually busy or they are denied access
Table -. %ommon Types of (ecurity 3iolations
ICT for Strategic Advantage
%ompanies often struggle to balance proper security with the cost and convenience of
providing it. They need secure environments without stifling or offending their employees.
Achieving this balance re&uires more sophisticated e&uipment$ policies$ and procedures. 't
also re&uires the support of all employees$ common sense$ good 4udgment and share
corporate values and trust and integrity. 'n particular$ it is important to educate employees
about the critical nature of security violation and also to sensitise managers to the dangers of
security violations. .upta +555! has investigated reasons for security breaches$ some of the
)ey reasons are described in table +.
(ource 6xamples
7any employees
have access to
system
8nly select employees should have access to payroll
systems9 if access isn2t restricted$ a mista)e someone2s
pay chec) gets sent to the wrong ban)! or intentional
security violation someone funnels other employees2
wages to their account! is more li)ely to occur.
'ncreased system
complexity
'f an information system fails$ it could be due to the
software$ hardware$ networ)$ input error$ a crac)er$ or
some other problem. The more complex the system$ the
more difficult it is to locate a violation.
%yber terrorism
on the 'nternet
Unscrupulous individuals can intercept credit*card
numbers and other private information over the 'nternet.
0etwor)
vulnerabilities
0etwor)s rely on many components to function9 someone
can breach one part from a cable wire to the software that
runs the system and access the entire information system.
%omplacent
management
7anagers who don2t fully understand the importance of
computer security or the li)elihood that their business is at
ris) fail to invest in security tools and techni&ues.
Table +. (ources of (ecurity 3iolations
TYPES OF COMPUTER SECURITY BREACHES
Although hundreds of )inds of computer security breaches occur$ they can be broadly
classified into three categories: accidental errors$ intentional errors$ and natural disasters.
These categories are listed in table : and described in more details in the following sections.
Types of (ecurity ;reaches Description
Accidental or
Unintentional errors
Accidents relating to hardware and software.
6mployees can also cause unintentional security
breaches.
'ntentional errors
%rac)ing passwords
;rea)ing into
computer hardware
(oftware virus
7ost common type of security violation in which
individuals intentionally decode passwords.
;rea)ing into computer hardware such as modems$
faxes$ and cellular phones.
'nfected software that behaves in an unexpected and
undesirable ways.
0atural disasters Tornadoes$ earth&ua)es$ and other disasters that
causes computer systems to fait.
Table :. %ategories of security breaches
ICT for Strategic Advantage
Accidental o Unintentional Eo!
The cost of unintentional security damage exceeds the cost of premeditated computer crime.
'n the case of hardware$ components such as memory$ networ) connection cards$ networ)
cabling$ networ) servers$ and so on$ may accidentally fail and cause a security breach.
%ables$ modems$ faxes$ and cellular phones are particularly vulnerable to accidental failures.
<or instance$ cables are installed underground or on rooftops$ so they are hidden from the
public eye and often forgotten when creating security plans and policies. =owever$ cables
can be accidentally cut or destroyed during building repairs and maintenance$ resulting in
serious security violations$ expense$ and information loss. (oftware$ another cause of
accidental errors$ can create security problems through input$ processing$ output$ or storage
errors. ;usinesses can reduce accidental security violations to hardware or software through
education$ training$ and establishing clear security policies and procedures. A business
should also introduce methods that help trac) hardware. (ome examples include re&uiring
that a team of individuals be responsible for any movement of hardware inside or outside the
company collective memory is better than individual memory! and re&uiring fre&uent
inventories of hardware items and their locations.
Intentional Eo!
'ntentional security violations are common. 7any experts believe that '( personnel are the
greatest threat to security because they have intricate )nowledge about the information
system. 6xamples of intentional violations include illicit entry to a system$ accessing valuable
and proprietary corporate data$ stealing passwords$ >listening> to electronic mail$ or
destroying or appropriating important files. These serious security violations may go
undetected for days$ wee)s$ or even months$ particularly if the violator is s)illed. /et2s briefly
examine three prevalent types of intentional security breaches: crac)ing passwords$ brea)ing
into computer hardware$ and creating or distributing software viruses.
Cac"in# Pa!!$od!
%rac)ing or decoding passwords$ the Achilles heel of computer security$ is one of the most
common security violations. %rac)ers can guess passwords or capture them as they travel
over the networ). 8nce the password of the super user the user$ such as a system
administrator$ who has access to all other passwords! is crac)ed$ the perpetrator gains full
control of the networ). (he or he can set up pseudo accounts$ use the system to uncover
more passwords and retrieve confidential and vital information without being detected.
Bea"in# into Co%&'te Had$ae
7odems$ faxes$ and cellular phones are particularly vulnerable to brea)*ins. Although
modems are central to electronic communications$ they are also highly vulnerable to security
breaches. There are software programs available in the mar)et that can identify all phone
numbers hoo)ed to a modem. 't then brea)s down the passwords and allows hac)ers to gain
illegal access to the system. These software programs are not illegal because system
administrators use them to monitor and manage their systems.
ICT for Strategic Advantage
So(t$ae Vi'!
A software virus is program that causes a computer system to behave in undesirable and
unexpected ways. The symptoms of software viruses are listed below. This section is
described in more details in the following sections.
'nexplicable loss of free memory
Unusually long program loading or execution times
%hanges in program or file si1e
7alfunctioning print routines
%omputer free1ing
Unusual messages or beeps
%omputer rebooting in the midst of a process
%orrupt files
Nat'al Di!a!te!
The third type of security breach is caused by natural disasters such as lightning$ floods$
hurricanes$ earth&ua)es$ and tornadoes. (ometimes referred to as >corporate heart attac)s?$
natural disasters can wipe out a company2s entire information system. 0atural disasters can
affect power supplies$ cooling systems$ communication networ)s$ alarm systems$ building
structures$ and other facilities that support computer systems.
=ow much money should a company invest to protect itself from natural disasters# Although
cost*benefit analysis is an important consideration$ the &uestion is not? what is the probability
of a disaster stri)ing#> 'nstead the right &uestion is @what is at ris) if a disaster stri)es?# To
assess this ris)$ companies should answer the following )ey &uestions:
"hat is the loss in revenue if disaster stri)es#
"ill disaster adversely affect the competitive position of the firm#
=ow will suppliers$ creditors$ and stoc)holders be affected#
"ill customers ta)e their business elsewhere#
=ow will the disaster affect the financial health of the organi1ation#
DISASTER RECOVERY PLAN )DRP*
DRP is a plan that details how a company will sustain and maintain its information systems
and services in the case of a disaster. .iven that there are many reasons for and types of
security breaches$ it is important that companies should have a security plan and clear
policies in place to prevent security breaches. The next step is to develop a comprehensive
disaster recovery plan DRP! to prepare for natural disasters. (uch plans can help a
company to restart operations within hours of a disaster. There are seven steps in developing
a DRP:
-. 'dentify specific situations that are classified as a disaster.
+. 0ame the individuals who have the$ right and the responsibility to declare a disaster.
:. 'dentify specific steps for declaring a disaster.
,. 'nventory all crucial corporate assets$ functions$ and resources that are essential to

operate the business$ and prioritise those assets.
A. (pecify the general course of action the business will ta)e when disaster stri)es.
B. Develop a specific course of action that each employee must ta)e to ma)e the company
operational when disaster stri)es.
C. 'dentify resources re&uired to recover from the disaster$ including money$ time$
personnel$ and facilities.
ICT for Strategic Advantage
;ut developing a plan is not enough. A DRP is effective only if it is well tested$ well
rehearsed$ and up*to*date. %ompanies should evaluate their disaster recovery plans through
testing. 6ach and every step in the plan should be practiced and tested regularly$ so
employees )now what to do in the aftermath of a disaster. The plan should be )ept current to
specify new 'T assets and ris)s that increase the firm2s vulnerability.
;usinesses that are successful in protecting their data and information systems from
unwanted eves and hands treat security as an integral part of their corporate culture. 'n such
companies$ security is not an afterthought$ nor is it the sole responsibility of a few individuals.
'nstead$ employees understand how effective security protects the financial stability of the
company and behave accordingly. (ome )ey guidelines for computer security are identified
as:
Recognising the symptoms of security breaches
;e aware of disgruntled employees
'nvolve law enforcement when a security breach is suspected
;uild security partnerships
%onvince top management that security is not an option
THE NEED FOR CONTROL
The importance of '%T to organisations is continually increasing as a result of widespread
use of and technological developments. "hile this is happening$ the reliance on the
information also increases$ as do the conse&uences of the information being lost or
destroyed. %ontrols on '( are mainly based on two underlying principles: the need to ensure
the accuracy of the data held by an organisation$ and the need to protect against loss or
damage to corporate information or 'T resource and facilities. 't is also important to
remember that in todayDs competitive environment$ the value of information hold by an
organisation is often more significant asset than the hardware which can be more readily
replaced. Therefore controls should focus on protecting the information. There are five main
categories of controls that can be applied to '( are:
+ , PHYSICAL PROTECTION
Physical protection involves the use of physical barriers intended to protect theft and
unauthorised access. Physical controls safeguard the environment of a computer and its
related assets. These controls are important because the best of systems can fail miserably
if the environment is unsuitable. %ontrolling the physical environment includes a whole range
of factors from room temperature to power supply$ from protecting systems from natural
disasters$ li)e flood and hurricane$ to preventing theft and vandalism. Physical controls
include posting security personnel$ installing fire alarms$ security alarms$ and hidden
cameras$ and re&uiring users to wear badges or use smart cards to gain access to a
building. 7ost facilities also include environmental control devices that monitor and control
the air and temperature in a building in which a computer resides.
ICT for Strategic Advantage
- , BIOMETRIC CONTROLS
These controls ma)e use of the uni&ue characteristics of individuals in order to restrict
access to sensitive information or e&uipment. Techni&ues of biometric control: scanners that
chec) fingerprints$ voice prints even retinal patterns. Until relatively recently$ the expense
associated with biometric control systems placed them out of the reach of all but the largest
organisations. 'n addition$ many organisations held reservations concerning the accuracy of
the recognition methods used to identify specific individuals. =owever$ with the introduction
of more sophisticated hardware and software$ both of these problems have been largely
resolved. 7any organisations have now begun to loo) at ways in which biometric control
systems could be used to reduce instances of fraud. 't According to ;oci4$ within five years$
ban)s are expected to introduce automated teller machines AT7! that use finger prints and
retinal patterns to identify customers.
. , TELECOMMUNICATIONS CONTROLS
These controls help verify the identity of a particular user. Techni&ues of telecommunications
controls: passwords and user validation routines. As an example$ when a new networ)
account is created for a given user$ they may be as)ed to supply several pieces of personal
information$ such as the name of a spouse or a date of birth. "hen the user attempts to
connect to the networ) system via a modem$ they will be as)ed to confirm their identity by
providing some of the information given when the account was created.
/ , FAILURE CONTROLS
<ailure controls attempt to limit or avoid damage caused by the failure of an information
system. Techni&ues of failure control: regular bac)ups of data and recovery procedures.
0 , AUDITIN1
Techni&ues of auditing is ta)ing stoc) of hardware$ software and data at regular intervals.
"ith regard to software and data$ audits can be carried out automatically with an appropriate
program. Auditing software wor)s by scanning the hard dis) drives of any computers$
terminals and servers attached to a networ) system. As each hard dis) drive is scanned$ the
names of any programs found are added to a log. This log can be compared to a list of the
programs that are legitimately owned by the organisation. (ince the log contains information
concerning the whereabouts of each program found$ it is relatively simple to determine the
location of any unauthorised programs. 'n many organisations$ auditing programs are also
used to )eep trac) of software licences and allow companies to ensure that they are
operating within the terms of their licence agreements. 8ne way of auditing a '( system is to
provide an audit trail.
A'dit Tail!
An audit trail is defined by the ;ritish %omputer (ociety as @a record of the file updating that
ta)es place during a specific transaction?. 't enables a trace to be )ept of all operations on
file. The original concept of a management or audit trail was to print out data at all processing
so that a manager or auditor could follow transactions stage*by*stage through a system to
ensure that they had been processed correctly.
ICT for Strategic Advantage
7odern computer have now cut out much of this laborious$ time*consuming stage*by*stage
wor)ing but there should still be some means of identifying individual file records and the
input output documents associated with the processing of any individual transaction.
=owever$ with the complexity of 'T systems$ there has been a corresponding loss of audit
trail. To overcome these difficulties$ auditors employ %omputer Aided Audit Techni&ues
%%ATs!. (ome special computer aided audit techni&ues might be used eg auditing test
pac)s$ and computer audit programs to read files$ extract defined information and carry out
audit wor) on the controls!. There are two principal categories of %AAT: test data and audit
software.
Te!t data
Audit test data$ or test pac)s$ consists of data prepared by the auditor for processing the
computer system. 't may be processed during a normal processing run live data! or during a
special run at a point in time outside the normal cycle dead test data!. The use of test data
provides 2compliance comfort2 to the auditor in respect time only if he obtains reasonable
assurance that the programs processing his test data were used throughout the period under
review. To allow a continuous review of data the manner in which it is treated by the system$
it may be possible to use %%ATs referred to as embedded audit facilities. An embedded
facility consists of coding or additional data provided by the auditor and incorporated into the
system itself. Two examples are set out below.
A'dit Pac"a#e!
Auditing pac)ages are used by auditors to help them with auditing a computer system$ they
provide two functions.
-. They generate test data sets which may then be processed by the client2s system to
evaluate its effectiveness and internal controls.
+. They may be used to aid the testing of a client2s records as part of the general review of
the client2s performance and accounting operations.
(tandard software pac)ages are available to help auditors with the audit of a computer
system$ features include:
Reformatting of a master file to allow interrogation of it by audit programs
%omputational chec)s on interest$ discounts$ extensions$ totals etc
The verification of file controls
The verification of individual balances on records
The extraction of random samples of items for chec)s
The facility to print out any data from a master file in any format the auditor re&uires
The extraction of records meeting certain value! criteria from a file sampling!.
The organisation2s personnel should be isolated from the auditing tests underta)en.
%omputer crimes are most often committed by the data processing personnel so any
intensive review of their wor) practices or the systems they control will first need to remove
them from any position which could alter the normal wor)ing of the system. 'f the system has
been subverted the auditor has a duty to catch it in the act if possible.
ICT for Strategic Advantage
%omputerised auditing pac)ages that generate test data sets may be used to chec) that a
system is processing transactions correctly. <or example$ in the audit pac)age for an
accounts system$ it would be possible to determine how various test data transactions should
show up in the accounts$ if some error occurred in processing them$ further investigation
would be necessary. 6rrors could have two sources: an inadvertent error in the design or
implementation of the system$ or a purposeful malfunction intended to defraud the
organisation. (ystem bugs identified by the auditors should be brought to the attention of the
client so that they may be corrected. <raudulent processing operations will also need to be
pursued with a particular view to establishing the extent of the operation and responsibility.
The use of auditing pac)ages also provides the auditor with a variety of computerised tools
which may be used not only for evaluating the computer system and its operations but may
also be extended to the auditing of other organisational functions. These programs perform
generalised audit tests and may be widely used among a variety of clients.
A software licence enables a company to ma)e several copies of a
program$ allowing it to ac&uire important programs at reduced cost.
Typically$ a company will purchase a single copy of the program and install
this on as many computers as re&uired. (ince only one copy of the
program and any accompanying documentation is re&uired$ costs are
reduced for both the company and the supplier. The terms of the software
licence will determine how many copies of the program can be made. A -5*
user licence$ for example$ allows a company to ma)e up to -5 copies of a
program for use by its employees.
Le#al contol!
'n addition to the physical and procedural controls mentioned above$ control is also available
from legislation. .overnments can use this to their advantage in preventing security
breaches.
TECHNI2UES FOR CONTROLLIN1 IS
This section describes the most common techni&ues used to control computer base
'nformation (ystems$ including:
<ormal security policies
Passwords
<ile encryption
8rganisational procedures governing the use of '(
User*validation techni&ues
Fo%al !ec'it3 &olic3
Perhaps the simplest and most effective control is the formulation of a comprehensive policy
on security. Among a wide variety of items$ such a policy should outline:
"hat is considered to be an acceptable use of the information system#
"hat is considered an unacceptable use of the information system#
The sanctions available in the event that an employee does not comply with security
policy
Details of the controls in place$ including their form$ function and plans for developing
these further.
ICT for Strategic Advantage
8nce a policy has been formulated$ it must be publicised in order for it to effective. 'n
addition$ the support of management is essential in order to ensure employees adhere to the
guidelines contained within the policy.
Pa!!$od!
The password represents one of the most common forms of protection for 'T systems. 'n
addition to providing a simple$ inexpensive means of restricting access to e&uipment and
sensitive data$ passwords also provide a number of other benefits. Among these are the
following:
Access to the system can be divided into levels by issuing different f employees based on
their positions and the wor) they carry out.
The actions of an employee can be regulated and supervised by monitoring use of his or
her password.
Passwords are changed fre&uently to reduce the ris) of their becoming )nown.
'f a password is discovered or stolen by an external party$ it should be possible to limit
any damage arising as a result.
The use of passwords can encourage employees to ta)e some of the responsibility for
the overall security of the system.
Enc3&tion
An additional layer of protection for sensitive data can be provided by ma)ing use of
encryption techni&ues. 7odern encryption methods rely on the use of one or more )eys.
"ithout the correct )ey$ any encrypted data is meaningless$ and therefore of no value to a
potential thief.
Poced'e!
Under normal circumstances$ a set of procedures for the use of an information system will
arise from the creation of a formal security policy. (uch procedures should describe in detail
the correct operation of the system and responsibilities of users. Additionally$ the procedures
should highlight issues related to security$ should explain some of the reasoning behind them
and should also describe the penalties for failing to comply with instructions.
U!e 4alidation
User validation techni&ues are of particular importance in the use of '%T. 't is necessary to
verify the identity of users attempting to access the system from outside the organisation. A
password is insufficient to identify the user since it might have been stolen or accidentally
revealed to others. =owever$ by as)ing for a date of birth$ 0ational 'nsurance number or
other personal information$ the identity of the user can be confirmed. Alternatively$ if the
location of the user is )nown$ the system can attempt to call the user bac) at their current
location. 'f the user is genuine$ the call will be connected correctly and the user can then
access the system. Although such methods do not offer total security$ the ris) of
unauthorised access can be reduced dramatically.
ICT for Strategic Advantage
BAC5UP PROCEDURES
A sudden loss of data can affect a company2s activities in a variety of ways. The disruption
caused to normal activities can result in significant financial losses due to factors such as lost
opportunities$ additional trading expenses and customer dissatisfaction. The cumulative
effects of data loss can prove detrimental in areas as diverse as corporate image and staff
morale. Perhaps the single most compelling reason for introducing effective bac)up
procedures is simply the expense involved in reconstructing lost data.
;oci4 et al -EEE! suggests$ one of the most common methods of protecting valuable data is
to use the @grandfather$ father$ son? techni&ue. =ere$ a rotating set of bac)up dis)s or tapes
are used so that three different versions of the same data are held at any one time. To
illustrate this method$ imagine a single user wor)ing with a personal computer and using
three floppy dis)s to store their data. 6ach day$ all of the data being wor)ed on is copied on
to the dis) containing the oldest version @grandfather? of that data. This creates a continuous
cycle that ensures that the oldest bac)up copy is never more than three days2 old. Table ,$
illustrates the operation of the @grandfather$ father$ son? method.
Da3 + Da3 - Da3 .
Dis) -
.randfather
Dis) +
.randfather
Dis) :
.randfather
Dis) +
<ather
Dis) :
<ather
Dis) -
<ather
Dis) :
(on
Dis) -
(on
Dis) +
(on
Table ,. The @.randfather$ <ather$ (on? bac)up method
As can be seen$ each dis) or tape moves through three generations. (ince three copies of
the data are maintained$ the ris) of data loss is reduced considerably. 'n the event of the
original data becoming corrupted or damaged in some way$ only changes made since the
last bac)up copy was made would be lost. 'n most cases$ this would amount to new or
altered data produced during the previous day. 'n addition$ only three sets of reusable media
are re&uired in order to ma)e bac)ups$ the costs involved can be considered low.
't is worth noting several general points concerning bac)ups of data:
The time$ effort and expense involved in producing bac)up copies will be wasted unless
they are made at regular intervals. =ow often bac)ups are made depends largely on the
amount of wor) processed over a given period. 'n general$ bac)ups will be made more
fre&uently as the number of transactions carried out each day increases.
;ac)up copies of data should be chec)ed each time they are produced. <aulty storage
devices and media may sometimes result in incomplete or garbled copies of data. 'n
addition$ precautions should be ta)en against computer viruses$ in order to prevent
damage to the data stored.
ICT for Strategic Advantage
The security of bac)up copies should be ensured by storing them in a safe location.
Typically$ an organisation will produce two sets of bac)up copies: one to be stored at the
company premises$ the other to be ta)en off the premises and stored at a separate
location. 'n this way$ a ma4or accident$ such as a fire at the company premises$ will not
result in the total destruction of the organisation2s data.
't is worth noting that not all data needs to be bac)ed up at regular intervals. (oftware
applications$ for example$ can normally be restored &uic)ly and easily from the original
media. 'n a similar way$ if a bac)up has already been made of a given item of data$ the
production of additional copies may not be necessary.
;ac)ups are often only made of a company2s file servers. "hile this will protect
information stored on the networ)$ information saved to individuals2 hard dis)s will not be
saved. Policies should be put in place to ensure that employees save all their wor) to the
networ)$ where it will be bac)ed up.
'n order to reduce the time ta)en to create bac)up copies$ many organisations ma)e use of
software that allows the production of incremental bac)ups. 'nitially$ a bac)up copy of all data
files is made and care is ta)en to ensure the accuracy of the copy. This initial$ complete
bac)up is normally referred to as a full bac)up sometimes also )nown as an archival
bac)up!. <rom this point on$ specialised bac)up is used to detect and copy only those files
that have changed in some way since the last bac)up was made. 'n the event of data loss$
damaged files can be replaced by restoring the full bac)up first$ followed by the incremental
bac)ups. 8ne of the chief advantages of creating incremental bac)ups is that it is possible to
trace the changes made to data files over time. 'n this way$ any version of a given file can
and restored.
CONTROLLIN1 SECURITY RIS5S OF INTERNET ACCESS
As well as representing opportunities$ the 'nternet also represents a ma4or challenge for the
'( manager of companies in avoiding malicious damage to company information. Particular
measures for controlling access from outside a company are:
Standad tec6ni7'e!8 The basic techni&ues$ namely bac)ing up data to ensure that it can
be restored if it maliciously deleted and using passwords to prevent access.
Fie$all!8 A firewall is a software application mounted on a separate server at the point the
company is connected to the 'nternet. <irewalls may have the following types of facilities to
monitor access re&uests to a company and preventive action.
<irewall software can be configured only to accept lin)s from trusted domains
representing other offices in a company or trading partners. =owever$ 'P address
spoofing simulation of these other addresses! can be used to access. <or this
reason$ security measures are continually evolving. 0ew standards$ such as the
authentication of 'P addresses in new 'P standard version B for example$ should
reduce the problem of 'P spoofing.
They support encryption of data pac)ets as they leave the site to other company
offices$ and decrypting on arrival will become standard to ma)e things more difficult
for eavesdroppers.
ICT for Strategic Advantage
Locate8 9e: and %ail !e4e! beyond the firewall. A company2s corporate system inside
the firewall will be more secure if "eb servers which will be accessed by people outside the
company! are not on the same networ) as the company data. 7any companies have
outsourced their "eb server hosting to third parties$ partly because of this reason.
Enc3&tion8 This can be a built*in function of firewalls or it can be included as a function of
"eb browsers. 6ncryption involves the @scrambling? or encoding of data before it is
transferred so that it cannot be understood if it is intercepted when in transit. "hen data is
received$ it is decoded or decrypted and it can then be read by the recipient. This decryption
can be made more secure if it is only available to third parties who have the authority to
decode the data. This uses a techni&ue )nown as digital certificates.
Vit'al &i4ate net$o"!8 3irtual Private 0etwor)s 3P0s! are secure networ)s which ma)e
use of the 'nternet infrastructure$ but use techni&ues such as firewalls and encryption to
secure transactions. 't is predicted by many analysts that 3P0s will become widely used
once companies become aware of the promise of security and relatively low cost available
with this option. "hen considering the security of transactions in an e*commerce
environment$ the basic principles of encryption$ authentication and integrity provide the
foundation of most 'nternet security systems. They are available in a variety of forms
according to the complexity of transaction needed of the e*commerce systems. 7ost security
systems use one or more of the standards listed in table A.
Standad F'nction E,co%%ece '!e
((/
(ecure (oc)et /ayer
Provide security for the data
pac)ets at the networ) layer
Applications using browsers$
web servers and 'nternet
systems
(*=TTP
(ecure =TTP
(ecurity at the web transaction
level
Applications using browsers$
web servers and 'nternet
systems
P.P Provides encryption and wea)
authentication for e*mail
transmitted across the 'nternet
(ecure e*mail transmission
for important information
(F7'76
(ecure 7'76
(ecurity for e*mail attachments
across various platforms
(ecure e*mail transmission
with encryption and digital
signature
(6T
(ecure 6lectronic
Transaction
(ecurity for credit transactions 6*commerce payments and
debits
Table A.(ome 'mportant 'nternet (ecurity (tandards for 6*commerce
THE COMPUTER VIRUS
%omputer 3irus is a computer program that is capable of self*replication$ allowing it to spread
from one 2infected2 machine to another. The release of the 'nternet "orm in -EGG caused
widespread concern when it was that estimated losses were between H-5 million and HE5
million. (imilar reaction occurred in ;ritain when details of the 3irus Tro4an emerged. ;oth
the 'nternet "orm and the 3irus Tro4an led to new legislation dealing crime. 'n the U( and
%anada$ new federal laws were passed that severe penalties for those causing deliberate
damage to data. 'n ;ritain$ the 7isuse Act of -EE5 was introduced by 7ichael %olvin and
new powers granted to <A(T <ederation Against (oftware Theft! in order to increase its
effectiveness against virus writers.
ICT for Strategic Advantage
There are three main types of computer virus: boot sector$ lin) and parasitic. The boot*sector
virus is capable of infecting both floppy and hard dis)s. The boot sector of a dis) contains a
set of instructions that will be executed each time the computer is switched on or reset. 'f a
virus infects the boot sector of a dis)$ it will be executed before any other program$ including
virus detection utilities. 8verall$ this type of virus accounts for approximately A5 per cent of all
virus infections$ although around -5 per cent of viruses are of this )ind.
A lin) virus attaches itself to the directory structure of a dis). 'n this way$ the virus is able to
manipulate file and directory information. /in) viruses can be difficult to remove$ since they
become embedded within the affected data. 8ften$ attempts to remove the virus can result in
the loss of the data concerned.
<inally$ parasitic viruses sometimes )nown as file infectors! insert copies of themselves into
legitimate programs$ such as operating system files$ often ma)ing little effort to disguise their
presence. 'n this way$ each time the program file is run$ so is the virus.
THE TRANSMISSION OF COMPUTER VIRUSES
A number of reports suggest that consultants$ maintenance engineers and employees ate
responsible for approximately ,5*B5 per cent of all virus infections. 8ften$ a virus infection
occurs as a result of employees bringing dis)s into wor) from their machines at home.
=owever$ several other factors have also been identified and these may help explain how
viruses are transmitted between home users. The sheer volume of illegal software copying is
almost certainly responsible for a large number of virus attac)s. The severity of the piracy
problem gives an indication of its importance as a factor in the transmission of viruses.
%ommercial software may also be responsible for a small number of virus infections each
year. 'n one incident$ for example$ some A5 855 copies of an infected utility dis) were
circulated in .ermany. ;ulletin board systems and shareware are also regarded as
significant factors in the transmission of computer viruses. The popularity of bulletin board
systems has declined steadily since the mid*-EG5s. 7uch of this decline can be attributed to
the fact that the services offered by many bulletin board systems have become redundant as
the 'nternet has grown in popularity. (hareware$ freeware$ criminal elements and individuals
are other sources of transmitting computer viruses. The ris) of virus infection can be reduced
to a minimum by implementing a relatively simple set of security measures:
Unauthorised access to machines and software should be restricted as far as possible
7achines and software should be chec)ed regularly with a virus detection program.
All new dis)s and any software originating from an outside source should be chec)ed
with a virus detection program before use or floppy drives can be removed from
networ)ed machines entirely$ with one central access point.
<loppy dis)s should be )ept write*protected whenever possible$ since it is physically
impossible for a virus to copy itself to a write*protected dis).
<loppy dis)s should not be )ept in the drive when the machine is switched off. 7ost virus
infections come from so*called boot*sector viruses$ which are enabled when a machine is
switched on with an infected dis) in the floppy drive.
Regular bac)ups of data and program files must be made in order to minimise the
damage caused if a virus infects the system.
3irus scanners are intended to detect and then safely remove virus programs from a
computer system. 8ne of the most effective methods of detecting virus infections uses a
process )nown as cyclic redundancy chec)ing or %R%. This involves the creation of a list of
uni&ue identification numbers for every file on a hard or floppy dis).
ICT for Strategic Advantage
;y comparing the current %R% number to the original$ it is possible to detect if any changes
have been made to a file. Thus$ cyclic redundancy chec)ing is able to detect the presence
and activity of virus. 3irus shields are T(R programs that constantly monitor and control
access to a system2s storage devices. Any unusual attempt to modify a file or write to a dis)
drive will activate a message as)ing the user to authorise the operation. A similar tas) is
performed by hardware virus detection devices. 7odern hardware protection devices can be
extremely sophisticated$ featuring their own processors$ dis) controllers and other expensive
components. =owever$ despite the claims of the manufacturers of these devices$ there is
little evidence to suggest that they are any more effective than software solutions. The use of
anti*virus software is particularly popular with owners of home computers. 6ssentially an anti*
virus is a benevolent virus program that copies itself to the boot sector of unprotected floppy
dis)s. 'f another virus attempts to overwrite the anti*virus$ it displays a message on the
screen warning the user of infection. A similar techni&ue is used to protect individual
programs by adding a small amount of inoculation code to the end of them. 6ach time the
program is run$ the inoculation routine evaluates the program2s chec)sum number and issues
a warning if the file has been altered in any way. =owever$ a drawbac) of this techni&ue is
that only a relatively small number of programs can be treated in this way.
8nce a virus has been detected there are three methods of removing it. The first$
disinfection$ attempts to restore damaged files and directory structures to their original
condition. =owever$ disinfection is not possible in all cases$ particularly when dealing with
parasitic viruses. The second techni&ue involves overwriting the virus program so that it is
permanently and irrevocably deleted from the dis). The third method is by restoring a bac)up
of the dis) before infection to the system.
2UESTIONS FOR DISCUSSION
%omputer security relies on common sense$ good 4udgment$ and shared corporate
values$ discuss.
Develop a presentation to convince the board of directors why investing in security
measures is li)e preventing a corporate heart attac)
Discuss the reasons for the need to control computer based '(
Discuss the development and use of DRP
Discuss the measures for controlling security ris)s of 'nternet access
Re(eence!
;oci4$ P.$ et al.$ @;usiness 'nformation (ystems?$ <inancial Times$ -EEE
.upta$ U.$ @'nformation (ystems?$ Prentice =all$ -EEE
/auden$ I.$ et al.$ @7anagement information systems: organisation and Technology?$ :
rd
edn$
7acmillan$ -EEA