Chapter 10 – Information Systems Security

1 - What is the goal of IS security?

Threat: one that seeks to obtain or alter data or other IS assets illegally, without the owner’s
permission and often without the owner’s knowledge e.g. hacker wants to steal bank
credentials
Vulnerability: an opportunity for threats to gain access to assets e.g. hacker creates
phishing site nearly identical to your online banking site
Safeguard: a measure taken to block the threat e.g. only access sites using https
Target: the desired asset.

Types of threats and security losses:

Threat
Human error Computer crime Natural disaster
Procedural mistakes Pretexting: pretending to Data may be Unauthorised Loss
e.g. admin at uni be someone else e.g. credit inadvertently data
accidentally posts card provider disclosed during disclosure
student details in Phishing: email requesting recovery. Focus is
public when confidential data on restoring
releasing exam Spoofing: pretending to be system capability
grades someone else e.g. IP and that normal
email spoofing. security
Sniffing: intercepting safeguards may
computer communications be ignored
e.g. wardrivers search for
unprotected wireless
networks and monitor and
intercept traffic.
Hacking: breaking into
computers, servers or
networks to steal data.
Examples: Hacking Unintentional or Incorrect data
incorrectly malicious modification
modifying info, incorrect data
following changes
procedures
incorrectly, system
errors.
Examples: Sending Usurpation: computer Service is Faulty service
wrong goods to a system is invaded and improperly
customer, replaced by unauthorised restored during
inaccurately billing programs that shut down recovery
customers, etc. legitimate apps and
substitute processing to
spy, steal and manipulate
data.
 Example: humans Hackers flood a Web server Systems fail Denial of
can inadvertently e.g. millions of bogus Service (DoS)
shut down a Web service requests that
server by starting an occupy the server, so it
intensive app cannot service legitimate
requests
Bulldozer cutting a Terminated employee may Data centres are Loss of
conduit of fiber- steal corporate data servers destroyed. infrastructure
optic cables e.g. Tono from RMPM –
stole 3 million people’s
worth of data when he got
fired lol

2 - How big is the computer security problem?

Why is it difficult to know the true cost and size of the threats and losses of computer
security and computer crime?
 Disasters: 2011 Japanese earthquake shut down manufacturing and losses rippled
through the supply chain around the world
 No standards for tallying crime costs e.g. does the cost of a DoS attack include lost
employee time, lost revenue or long-term revenue losses due to lost customers?
 All studies on the cost of computer crimes are based on surveys. Different
respondents interpret terms differently, some organisations don’t report all their
losses

3- How should you respond to security threats?

Personal Security Safeguards:
 Create strong passwords – no word in any language, mix letters, number and special
characters. Brute force attack: cracker tries every combination
 Send no valuable data via email as they are not protected by encryption
 Regularly update antivirus software
 Follow organisational security directives and guidelines

Cookie: small files that your browser receives when you visit websites. Cookies enable you
to access websites without having to sign in every time and speed up processing of some
sites. Trade-off: comprise of sensitivesecurity data.
CCleaner: free, open source product that securely removes data including browsing history,
temp files and cookies. Security is substantially improved, but PC is more difficult to use.

4 - How should organisations respond to security threats?

Name and describe two security functions that senior management should address.
There are two critical security functions: security policy and risk management.

Security policies should contain:

 What sensitive data the organisation will store
 How it will process that data
 Whether data will be shared with other organisations
 How employees and others can obtain copies of data stored about them
  How employees and others can request changes to inaccurate data

Risk management:
 Pro-active balance the trade-off between risk and cost – varies between industry e.g.
financial institutions are obvious threats so they must invest heavily into security
safeguards
 To make trade-off decisions:
o Create inventory of data and hardware to protect and then evaluate
safeguards relative to the probability of each potential threat
o Understand categories and frequencies of threat
o Decide how much risk to take i.e. which security safeguards to implement

5 - How can technical safeguards protect against security threats?

Technical safeguards:
 Identification (username) and authentication (password)
 Encryption
 Firewalls
 Malware protection
 Design for secure apps

Types of authentication:
 What you know – Username and password
 What you have – Smartcard: contains microchip that is loaded with identifying data.
Requires PIN to be entered to be authenticated
 What you are – Biometric Authentication: fingerprints, facial features and retinal
scans to authenticate users.

Encryption
Encryption: transforming clear text into coded, unintelligible text for secure storage or
communication.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS): a protocol that uses a
combination of public key encryption and symmetric encryption.
Public key encryption: a version of asymmetric encryption used on the Internet where each
site has a public key for encoding messages and a private key for decoding them.
Asymmetric encryption: two keys are used; one to encode and one to decode the message.
Symmetric encryption: same key is used to encode and decode.

How SSL/TLS works when you communicate securely with a website:

Firewalls
Firewall: a computing device that prevents unauthorised network access.
There are multiple firewalls:
 Perimeter firewall – sites outside organisations network; the first device that
Internet traffic encounters e.g. protects computers
 Internal firewall e.g. protects LAN
 Packet-filtering firewall – examines source address, destination address and other
data whether to let that part pass

Malware protection
Malware: category of software that includes viruses, spyware and adware.
Types of malware:
 Virus: computer program that replicates itself
 Trojan horse: viruses that masquerade as useful programs or files
 Worm: a virus that self-propagates using the Internet. Spreads so quickly that they
overload and crash a network
 Spyware: programs installed on a user’s PC without their knowledge or permission.
Resides in the background and observes the user’s actions and keystrokes, monitors
computer activity and reports user’s activities to sponsoring organisations
 Adware: similar to spyware, except it doesn’t perform malicious acts. However, it
does watch user activity and produce pop-up ads. Can also change default window
or modify search results
 Ransomware: malicious software that blocks access to a system or data until money
is paid to the attacker.

Malware safeguards:
1. Install antivirus and antispyware programs on the computer
2. Set up antimalware programs to scan computer frequently
3. Update malware definitions – patterns that exist in malware code
4. Open email attachments only from known sources
5. Promptly install software updates from legit sources
 6. Browse only reputable sites

6 - How can data safeguards protect against security threats?

Define data administration and database administration and explain their difference.
Data safeguards protect databases and data. Two organisational units are responsible for
data safeguards: data administration and database administration.
Data administration: organisation-wide function that is in charge of developing data policies
and enforcing data standards.
Database administration: a function that pertains to a particular database e.g. ERP, CRM
and MRP databases. Develops procedures and practices to ensure efficient and orderly
multiuser processing of the database, to control changes to the database structure, and to
protect the database.

Data safeguards:
 Define data policies
 Data rights and responsibilities
 Rights enforced by user accounts authenticated by passwords
 Data encryption
 Backup and recovery procedures
 Physical security

7 - How can human safeguards protect against security threats?

Security policy for employees:
 Position definition
o Separate duties and authorities e.g. no single individual should both approve
expenses and write checks
o Determine least privilege – limit access privilege to job descriptions e.g. users
whose job description do not include modifying data should be given read-
only accounts
o Document position sensitivity
 Hiring and screening
 Dissemination and enforcement – employees need to be made aware of security
policies, procedures and responsibilities
o Responsibility
o Accountability
o Compliance
 Termination
o Friendly
o Unfriendly

Human safeguards for nonemployee personnel

 Contracts that govern the activity for temporary, vendor and partner personnel –
mention specific security responsibilities
 Hardening sites for the public (technical, not human) – using special versions of OS
to lock down or eliminate OS features and functions that are not required by the
app.
The dimensions of account administration
 Account management – creating new user accounts, modifying existing account
permissions and removing unneeded accounts
 Password management
 Help-desk policies – in the past, help desks have been a serious security risk. Now,
many systems give the help-desk representative a means of authenticating the user.
The IS typically has answers to questions that only the true users would know.

Explain how system procedures can serve as human safeguards.

Describe security monitoring techniques.

8 - How should organisations respond to security incidents?

Summarize the actions that an organization should take when dealing with a security
incident.