Securing Information Systems

System Vulnerability And Abuse

Can you imagine what would happen if you tried to link to the Internet without a firewall or antivirus software? Your computer would be disabled in a few seconds, and it might take you many days to recover.

When large amounts of data are stored in electronic form, they are vulnerable to many more kinds of threats than when they existed in manual form. Through communications networks, information systems in different locations are interconnected. The potential for unauthorized access, abuse, or fraud is not limited to a single location but can occur at any access point in the network.

Fig. Contemporary Security Challenges and Vulnerabilities

Internet Vulnerabilities

Large public networks, such as the Internet, are more vulnerable than internal networks because they are virtually open to anyone. The Internet is so huge that when abuses do occur, they can have an enormously widespread impact. When the Internet becomes part of the corporate network, the organization's information systems are even more vulnerable to actions from outsiders.

Wireless Security Challenges

It depends on how vigilant you are. Even the wireless network in your home is vulnerable because radio frequency bands are easy to scan. Both Bluetooth and Wi-Fi networks is only several hundred feet, it can be extended up to one-fourth of a mile using external antennae.

Fig. Wi-Fi Security Challenges

Malicious Software: Viruses, Worms, Trojan Horses, and Spyware

Malicious software programs are referred to as malware and include a variety of threats, such as computer viruses, worms, and Trojan horses. Worms and viruses are often spread over the Internet from files of downloaded software, from files attached to e-mail transmissions, or from compromised e-mail messages or instant messaging. Many users find such spyware annyoing and some critics worry about its infringement on computer users' privacy.

Hackers and Computer Crime

A hacker is an individual who intends to gain unauthorized access to a computer system. Within the hacking community, the term cracker is typically used to denote a hacker with criminal intent, although in the public press, the terms hacker and cracker used interchangeably. Cybervandalism is the intentional disruption, defacement, or even destruction of a Web site or corporate information system.

Spoofing and Sniffing

Hackers attempting to hide their true identifies often spoof, or misrepresent, themselves by using fake e-mail addresses or masquerading as someone else. Spoofing also may involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. A sniffer is a type of eavesdropping program that monitors information traveling over a network.

Denial-of-service Attacks

In a denial-of-service (DoS) attack, hackers flood a network server or Web server with many thousands of false communications or requests for services to crash the network. A distributed denial-of-service (DDoS) attack uses numerous computers to inundate and overwhelm the network from numerous launch points.

Computer Crime

Most hacker activities are criminal offenses, and the vulnerabilities of systems we have just described make them targets for other types of computer crime as well. No one knows the magnitude of the computer crime problem - how many systems are invaded, how many people engage in the practice, or the total economic damage. The most economically damaging kinds of computer crimes are DoS attacks, introducing viruses, theft of services, and disruption of computer systems.

Identity Theft
Identity Theft is a crime in which an imposter obtains key pieces of personal information, such as social security identification numbers, driver's license numbers, or credit card numbers, to impersonate someone else.

Click Fraud
Click Fraud occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase.

Business Value of Security and Control

Many firms are reluctant to spend heavily on security because it is not directly related to sales revenue. However, protecting information systems is so critical to the operation of the business that it deserves a second look.

Legal and Regulatory Requirements for Electronic Records Management
If you work in the health care industry, your firm will need to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. If you work in a firm providing financial services, your firm will need to comply with the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act after its congressional sponsors. If you work in a publicly traded company, your company will need to comply with the Public Company Accounting Reform and Investor Protection Act of 2002, better known as the Sarbanes-Oxley Act after its sponsors Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio.

Electronic Evidence And Computer Forensics

Computer forensics is the scientific collection, examination, authentification, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law. It deals with the following problems:

• Recovering data from computers while preserving evidential integrity
• Securely storing and handling recovered electronic data
• Finding significant information in a large volume of electronic data
• Presenting the information to a court of law

Electronic evidence may reside on computer storage media in the form of computer files and as ambient data, which are not visible to the average user.

Role of Auditing
An MIS audit examines the firm's overall security environment as well as controls governing individual information systems.

Identity Management and Authentication
To gain access to a system, a user must be authorized and authenticated. Authentication refers to the ability to know that a person is who he or she claims to be. Authentication is often established by using passwords known only to authorized users.

Firewalls
Firewalls prevent unauthorized users from accessing private networks. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic.

 

Fig. A Corporate Firewall

Intrusion Detection Systems

Intrusion Detection Systems feature full-time monitoring tools placed at the most vulnerable points or "hot spots" of corporate networks to detect and deter intruders continually.

Antivirus and Antispyware Software

Antivirus software is designed to check computer systems and drives for the presence of computer viruses.

Encryption and Public Key Infrastructure

Two methods for encrypting network traffic on the Web are SSL and S-HTTP. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session. Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages, where as SSL and TLS are designed to establish a secure connection between two computers. A more secure form of encryption called public key encryption uses two keys: one share (or public) and one totally private. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key.

Fig. Public Key Encryption

Digital certificates are data files used to establish the identity of users and electronic assets for protection of online transactions.

Ensuring System Availability

In online transaction processing, transactions entered online are immediately processed by the computer. Multitudinous changes to databases, reporting, and requests for information occur each instant. Fault-tolerant computer systems contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service.

Controlling Network Traffic: Deep Packet Inspection

A technology called deep packet inspection (DPI) examines data files and sort out low-priority online material while assigning higher priority to business-critical files. 

Security Issues For Cloud Computing and The Mobile Digital Platform

Security in the Cloud

Cloud users should ask whether cloud providers will submit to external audits and security certifications. These kinds of controls can be written into the service level agreement (SLA) before to signing with a cloud provider.

Securing Mobile Platforms

If mobile devices are performing many of the functions of computers, they need to be secured like desktops and laptops against malware, theft, accidental loss, unauthorized access, and hacking attempts. Mobile devices accessing corporate systems and data require special protection.

Summary

Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software failures. The Internet is designed to be an open system and makes internal corporate systems more vulnerable to actions from outsiders. Lack of sound security and control can cause firms relying on computer systems for their core business functions to lose sales and productivity. Firms need to establish a good set of both general and application controls for their information systems. A risk assessment evaluates information assets, identifies control points and control weaknesses, and determines the most cost-effective set of controls. Firewalls prevent unauthorized users from accessing a private network when it is linked to the Internet. Companies can use fault-tolerant computer systems or create high-availability computing environments to make sure that their information systems are always available. Use of software metrics and rigorous software testing help improve software quality and reliability.