Securing Information Systems

Why systems are vulnerable Imagine the consequences if you have to connect to internet without a firewall or an antivirus software! In order to operate business online security and control should be a top priority. What do you mean by security and control?

 Security: refers to the policies, procedures and technical measures used to prevent unauthorized access, alteration, theft or physical damage to information systems. Control: refers to the methods, policies and organizational procedures that ensure the safety of the organizations assets; the accuracy and reliability of its records; and operational adherence to management standards. The potential for unauthorized access, abuse or fraud is not limited to a single location but can occur at any access point in the network.

 Users at the client level can cause harm by introducing errors or by accessing systems without authorization. It is possible to access data flowing over networks, steal valuable data during transmission, or alter messages without authorization. Intruders can launch denial-of-service attacks or malicious software to disrupt the operation of Web sites. Those capable of penetrating corporate systems can destroy or alter corporate data stored in databases or files.

 Systems malfunction if computer hardware breaks down, is not configured properly, or is damaged by improper use or criminal acts. Errors in programming, improper installation, or unauthorized changes cause computer software to fail. Power failures, floods, fires or other natural disasters can also disrupt computer systems. Domestic or offshore partnering with another company adds to system vulnerability if valuable information resides on networks and computers outside the organizations control. Without strong safeguards, valuable data could be lost, destroyed or could fall into the wrong hands, revealing important trade secrets or information that violates personal privacy.

 Smartphones used by corporate executives may contain sensitive data such as sales figures, customer names, phone numbers and e-mail addresses. Intruders may be able to access internal corporate networks through these devices. Unauthorized downloads may introduce disabling software. Internet Vulnerabilities Computers that are constantly connected to the Internet by cable modems or DSL lines are more open to penetration by outsiders because they use fixed internet addresses where they can be easily identified.

 Most Voice over IP (VoIP) traffic over the public internet is not encrypted, so anyone with a network can listen in on conversations. Hackers can intercept conversations or shut down voice service by flooding servers supporting VoIP with bogus traffic. Vulnerability has also increased from wide spread use of email, IM, and file sharing programs. E-mail may contain attachments that serve as a springboard for malicious software or unauthorized access to internal corporate systems.

 E-mails can be used to transmit valuable trade secrets, financial data or confidential customer information to unauthorized recipients. IM applications can be intercepted and read by outsiders during transmission over the public internet. Sharing files over networks, such as those for illegal music sharing, may also transmit malicious software or expose information on either individual or corporate computers to outsiders.

 Malicious Software: Viruses, Worms, Trojan Horses and Spyware Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. While it is sometimes software, it can also appear in the form of script or code. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software.

 Malware includes computer viruses, worms, trojan horses, spyware and other malicious programs. Computer virus A computer virus is a computer program that can replicate itself and spread from one computer to another. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by other computers The term computer virus is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables.

 Viruses may also contain a payload that performs other actions, often malicious. Examples of payloads include data destruction, messages with insulting text or spurious e-mail messages sent to a large number of people. Worms: Worms are independent computer programs that copy themselves from one computer to another computers over a network. Unlike Viruses, they can operate on their own without attaching to other computer program files and rely less on human behaviour in order to spread from one computer to another.

 Worms destroy data and programs as well as disrupt or even halt the operation of computer networks. E-mail worms are currently the most problematic. Worms and viruses are often spread over the internet from files of downloaded software, from files attached to e-mail transmissions, or from compromised email messages or instant messaging. Viruses have also invaded computerized information systems from infected disks or infected machines.

 According to Consumer Reports,2008 survey, U.S consumers lost $8.5billion because of malware and online scams, and majority of these losses came from malware. Trojan Horse A Trojan horse, or Trojan, is a standalone malicious program designed to give full control of infected PC to other PC. It can also perform other typical computer virus activities. Trojan horses can make copies of themselves, steal information, or harm their host computer systems.

 Purpose and uses

A Trojan gives a hacker remote access to a targeted computer system. Once a Trojan has been installed on a targeted computer system, the hacker has remote access to the computer and can perform all kinds of operations. Operations that could be performed by a hacker on a targeted computer system include: Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks) electronic money theft Data theft (e.g. retrieving passwords or credit card information) Installation of software, including third-party malware Downloading or uploading of files on the user's computer

 Modification or deletion of files Keystroke logging Watching the user's screen Crashing the computer Anonymizing internet viewing etc. According to a survey conducted by BitDefender from January to June 2009, "Trojan-type malware is on the rise, accounting for 83-percent of the global malware detected in the world".

 Spyware is a type of malware (malicious software) installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Spyware is often secretly installed on a user's personal computer without their knowledge. the functions of spyware can extend beyond simple monitoring of users computer. Spyware can collect almost any type of data, including personal information like Internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, resulting in slow Internet connection speeds, un-authorized changes in browser settings or functionality of other software.

 Keyloggers: They are software programmes to record every key stroke made on a computer to steal serial numbers for software, to launch internet attacks, to gain access to email accounts, to obtain passwords to protected computer systems or to pick up personal information such as credit card numbers. Hackers and computer crime: A hacker is an individual who intends to gain unauthorized access to a computer system. Within the hacking community, the term cracker is typically used to denote a hacker with criminal intent.

 Hacker activities include theft of information, system damage, cyber vandalism, the intentional disruption, defacement, or even destruction of a website or corporate information system.

 Spoofing and Sniffing: Hackers attempting to hide their true identities often spoof, or misrepresent, themselves by using fake email addresses or masquerading as someone else. Spoofing may also involve redirecting a web link to an address different from the intended one, with the site masquerading as the intended destination. In common industry usage, a sniffer (with lower case "s") is a program that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently. Sniffers enable hackers to steal proprietary info. From anywhere on a network, including e mail messages, company files and confidential reports.

 Denial-of-Service Attacks In a denial-of-service attack, hackers flood a network server or web server with many thousands of false communications or requests for services to crash the network. The network receives so many queries that it cannot keep up with them and is thus unavailable to service legitimate requests. A distributed denial of service attack uses numerous computers to inundate and overwhelm the network from numerous launch points. They cause a website to shut down , making it impossible for the legitimate users to access that site.

 Who are at risk of DDoS? Perpetrators of DoS attacks use Botnets to lauch an attack. Computer Crime Computer crime is the commission of illegal acts through the use of a computer or against a computer system. Many Cos. are reluctant to report computer crimes because the crimes may involve employees or the company fears that publicizing its vulnerability will hurt its reputation. The most economically damaging kinds of computer crimes are DoS attacks, introducing virus, theft of services and disruption of computer systems.

 Since 2007, Indias premier National Informatics Center (NIC), which governs and hosts all Government websites, was infected by the mysterious GhostNet at least 12 times. Computers of nine key Indian Embassies, including offices in the US, UK and Germany, were infected by the mysterious GhostNet.

 Crime against computers Breaching the confidentiality of protected computerized data Accessing a computer system without authority Knowingly accessing a protected computer to commit fraud. Intentionally accessing a protected computer and causing damage, negligently or deliberately Knowingly transmitting a program, program code or command that intentionally causes damage to a protected computer

 Computers as instruments of crime Theft of trade secrets Unauthorized copying of software of copyrighted IP such as articles, books, music and video Using emails for threats and harassment Intentionally attempting to intercept electronic communication Illegally accessing stored electronic communications, including email and voice mail.

 Identity Theft Identity theft is a crime in which an imposter obtains key pieces of personal information, such as social security identification numbers, drivers license numbers or credit card numbers to impersonate someone else. One increasingly popular form of spoofing is called phishing. Phishing involves setting up fake websites or sending email messages that look like those of legitimate businesses to ask users for confidential personal data.

 Evil twins: Evil twins are wireless net works that pretend to offer trustworthy Wi-Fi connections to the Internet, such as those in the airport lounges, hotels or coffee shops. The bogus network looks identical to a legitimate public network. Fraudsters try to capture passwords or credit card numbers of unwitting users who log on to the network.

 Pharming: It redirects users to a bogus web page, even when the individual types correct web page address into his or her browser. This is possible if pharming perpetrators gain access to the internet address information stored by ISP to speed up web browsing and the ISP companies have flawed software on their servers that allows the fraudsters to hack in and change those addresses. Click Fraud: It occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making purchase.

 Cyber terrorism is the use of Internet based attacks in terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet, by the means of tools such as computer viruses. Cyber terrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.

 According to the U.S. Commission of Critical Infrastructure Protection, possible cyber terrorist targets include the banking industry, military installations, power plants, air traffic control centers, and water systems. Cyber warfare: Cyber warfare refers to actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption. Cyber warfare attacks can disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and criple financial systems -- among many other possibilities.

 Examples of cyber warfare: In 2007, in Estonia, a botnet of over a million computers brought down government, business and media websites across the country. The attack was suspected to have originated in Russia, motivated by political tension between the two countries. In 1998, the United States hacked into Serbia's air defense system to compromise air traffic control and facilitate the bombing of Serbian targets.

 Software Vulnerability: Software errors cause losses in productivity Reasons include growing complexity and size of software programs. Eg. A flawed software upgrade shut down the BlackBerry e-mail service throughout North America for abt. 12 hrs between April 17 and April 18 2007. According to U.S Dept. of Commerce NIST, software flaws cost the U.S economy $59.6 billion each year. The main source of Software bugs or program code defects is the complexity of decision making code. I.e small programs containing tens of decisions or Cos. Having millions of lines of code.

 Zero defects or complete testing is simply not possible. Flaws in commercial software impedes performance and also create security vulnerabilities that open networks to intruders. Each year security firms identify about 5000 software vulnerabilities in internet and PC software. For eg. In 2007 Symantec identified 39 vulnerabilities in Microsoft internet explorer, 34 in Mozilla browsers, 25 in Apple Safari and 7 in Opera. Vendors create small pieces of software called patches to repair the flaws in software.

 Eg. Microsofts Windows Vista Service Pack 1 released in Feb 2008, includes some security enhancements to counter malwares and hackers. Maintaining patches on all devices and services used by a company is time consuming and costly.

 Business Value of Security and Control Many firms are reluctant to spend heavily on security because it is not directly related to sales revenue. However, protecting information system is very critical. Companies store valuable info. About individuals and corporate operations. Government systems also store critical information. Businesses must protect not only their own info. Assets but also those of customers, employees and business partners. Failure to do so many open the firm to costly litigation for data exposure or theft.

 Strong security and control increases employee productivity and lowers operational costs. Eg.NSE uses Websense Enterprise to regulate outgoing Internet traffic of 1,000-plus employees and contractors. The NSE has also opted for security Filtering, an offering of Websense's categories for filtering which blocks spyware, bots and key loggers.

 Electronic Evidence and Computer Forensics Much of the evidence today for stock fraud, embezzlement, theft of company trade secrets, computer crime and many civil cases is in digital form. Legal cases today increasingly rely on evidence represented as digital data stored on portable floppy disks, CDs and computer hard disk drives, as well as in e-mail, instant messages and e-commerce transactions over the internet. In a legal action, the company is required to produce digital data as demanded by law.

 Courts now impose severe financial and criminal penalties if electronic documents are not properly maintained or destroyed by the companies. Computer forensics is the scientific collection, examination, authentication, preservation and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law. It deals with following problems: Recovering data from computers while preserving evidential integrity Securely storing and handling recovered electronic data

 Finding significant information in a large volume of electronic data Presenting the information to a court of law.

Data that a computer user may have deleted on computer storage media can be recovered through various techniques. Computer forensics experts try to recover such hidden data for presentation as evidence. The CIO, security specialists, information systems staff and corporate legal counsel should all work together to have a plan in place that can be executed if a legal need arises.

 IS Controls: 1) General Controls - software controls - hardware controls -computer operations controls - Data security controls - Implementation controls -Administrative controls

 2) Application Controls - input controls, - processing controls, - output controls

 Risk Assessment:-

What is it??

 Security Policy:
Meaning
AUP Acceptable use policy Authorization Policies

 Disaster Recovery Continuity Planning

Planning

and

Business

DRP Examples: MasterCard, Rio Tinto, Spectramind, HP, Lucent etc.

BCP Examples: Deutsche Bank

 The Role of Auditing What purpose does an MIS Audit serve??

 Tools for protecting Information Resources

1. Access Control - Authentication & Authorization 2. Firewalls, Intrusion Detection Systems, and Antivirus Software

Securing Wireless Networks -Encryption -Ensuring System Availability - Controlling Network Traffic: Deep Packet Inspection - Security Outsourcing MSSPs Managed Security Service Providers.