1 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Securing Information
Systems
2 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Learning Objectives
• Describe the major ethical (Privacy) issues
related to information technology and identify
situations in which they occur.
• Describe the many threats to information
security.
• Understand the various defense mechanisms
used to protect information systems.
• Explain IT auditing and planning for disaster
recovery.
3 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Computer systems
intrusion at TJX
4 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Privacy Issues
You Be the Judge
Terry Childs: Guilty
or not Guilty?
5 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Privacy
Court decisions have followed two rules:
(1) The right of privacy is not absolute.
Your privacy must be balanced against the needs of society.
(2) The public’s right to know is superior to the individual’s right
of privacy.
• Threats to Privacy
– Data aggregators, digital dossiers, and profiling
– Electronic Surveillance
– Personal Information in Databases
– Information on Internet Bulletin Boards, Newsgroups, &
Social Networking Sites
6 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Data Aggregators, Digital
Dossiers, and Profiling
9 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Information on Internet Bulletin Boards,
Newsgroups, &Social Networking Sites
10 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Protecting Privacy
• Privacy Codes and Policies: An organization’s
guidelines with respect to protecting the privacy of
customers, clients, and employees.
• Opt-out model of informed consent permits the
company to collect personal information until the
customer specifically requests that the data not be
collected.
• Opt-in model of informed consent means that
organizations are prohibited from collecting any
personal information unless the customer specifically
authorizes it.
11 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
IS Security Management
• The goal of security
management is the
accuracy, integrity,
and safety of all
information system
processes and
resources
12 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Factors Increasing the Threats
to Information Security• Today’s interconnected, interdependent, wirelessly-
networked business environment
• Government legislation
• Smaller, faster, cheaper computers and storage
devices
• Decreasing skills necessary to be a computer hacker
• International organized crime turning to cybercrime
• Downstream liability
• Increased employee use of unmanaged devices
• Lack of management support
15 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Key Information Security
Terms (1)• A threat to an information resource is any danger to which
a system may be exposed.
• The exposure of an information resources is the harm, loss
or damage that can result if a threat compromises that
resource.
• A system’s vulnerability is the possibility that the system
will suffer harm by a threat.
• System security focuses on protecting hardware, data,
software, computer facilities, and personnel.
16 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Information security describes the protection of both
computer and non-computer equipment, facilities, data,
and information from misuse by unauthorized parties.
– Includes copiers, faxes, all types of media, paper
documents
• Risk is the likelihood that a threat will occur.
• Information system controls are the procedures, devices,
or software aimed at preventing a compromise to the
system
Key Information Security
Terms (2)
17 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Objectives of Information
Security
18 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Security Threats
19 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Categories of Threats to
Information Systems• Unintentional acts
• Natural disasters
• Technical failures
• Management failures
• Deliberate acts
(from Whitman and Mattord, 2003)
20 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Human Errors
• Tailgating
• Shoulder surfing
• Carelessness with laptops and portable
computing devices
• Opening questionable e-mails
• Careless Internet surfing
• Poor password selection and use
21 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Anti-Tailgating Door
22 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Shoulder Surfing
23 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Most Dangerous Employees
Human resources and MIS
Remember, these
employees hold ALL
the information
24 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Deliberate Acts
Malicious Software (Malware)
• Viruses: Rogue software program that attaches itself to other
software programs or data files in order to be executed
• Worms: Independent computer programs that copy themselves from
one computer to other computers over a network.
• Trojan horses: Software program that appears to be benign but
then does something other than expected.
• Spyware: Programs install themselves surreptitiously on computers
to monitor user Web surfing activity and serve up advertising.
25 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Hacking is
– The obsessive use of computers
– The unauthorized access and use of networked computer
systems
– Activities include System intrusion, System damage,
Cybervandalism.
• Electronic Breaking and Entering
– Hacking into a computer system and reading files, but neither
stealing nor damaging anything
• Cracker
– A malicious or criminal hacker who maintains knowledge of
the vulnerabilities found for private advantage
Deliberate Acts
Hackers & Crackers
26 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Spoofing
• Faking an e-mail address or Web page to trick users into passing along
critical information like passwords or credit card numbers
• Sniffer
• Eavesdropping program that monitors information traveling over network
• Enables hackers to steal proprietary information such as e-mail, company
files, etc.
• Capturing passwords or entire contents
• Scans
• Widespread probes of the Internet to determine types of computers,
services, and connections
• Looking for weaknesses
Deliberate Acts
Common Hacking Tactics (1)
27 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Denial-of-service attacks (DoS)
• Flooding server with thousands of false requests to crash the
network.
• Distributed denial-of-service attacks (DDoS)
• Use of numerous computers to launch a DoS
• Back Doors
• A hidden point of entry to be used in case the original entry point is
detected or blocked.
• War Dialing
• Programs that automatically dial thousands of telephone numbers in
search of a way in through a modem connection
• Logic Bombs
• An instruction in a computer program that triggers a malicious act
Deliberate Acts
Common Hacking Tactics (2)
28 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Identity theft
• Theft of personal Information (social security id, driver’s license or
credit card numbers) to impersonate someone else
• Phishing
• Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for
confidential personal data.
• Evil twins
• Wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet
• Pharming
• Redirects users to a bogus Web page, even when individual
types correct Web page address into his or her browser
Deliberate Acts
Computer Crime (1)
29 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Deliberate Acts
Computer Crime (2)
• Click fraud
• Occurs when individual or computer program fraudulently
clicks on online ad without any intention of learning more
about the advertiser or making a purchase
30 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• General controls
• Govern design, security, and use of computer programs and
security of data files in general throughout organization’s
information technology infrastructure.
• Apply to all computerized applications
• Combination of hardware, software, and manual procedures to
create overall control environment
• Application controls
• Physical controls
• Access controls
• Communications (network) controls
• MIS auditing
Information Systems Controls
31 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Where Defense Mechanisms
(Controls) are Located
32 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & EconomicsAccess Control
• Policies and procedures to prevent improper access to systems by
unauthorized insiders and outsiders
• Access control three-step process includes:
• User identification
• User authentication
• Something the user is: Biometric authentication: Facial
recognition, Hand Geometry, Fingerprint Scan, Palm scan, Retina
scan, Iris Scan
• Something the user does: Signature, Voice recognition
• Something the user has: Regular ID card, Smart ID card or token
• Something the user knows: Passwords, passphrases
• User authorization
33 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Communication or Network
Controls
• Firewalls
• Anti-malware systems
• Whitelisting and Blacklisting
• Intrusion detection systems
• Encryption
34 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• A gatekeeper system that protects a company’s intranets
and other computer networks from intrusion
• Provides a filter and safe transfer point for
access to/from the Internet and other networks
• Important for individuals who connect to the Internet with
DSL or cable modems
• Can deter hacking, but cannot prevent it.
Firewalls
35 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Basic Home Firewall (top) and
Corporate Firewall (bottom)
36 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Intrusion detection systems:
• Monitor hot spots on corporate networks to detect
and deter intruders
• Examines events as they are happening to
discover attacks in progress
• Antivirus and antispyware software:
• Checks computers for presence of malware and
can often eliminate it as well
• Require continual updating
Intrusion Detection Systems, and
Antivirus Software
37 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Encryption:
• Transforming text or data into cipher text that
cannot be read by unintended recipients
• Two alternative methods of encryption
• Symmetric key encryption
• Sender and receiver use single, shared key
• Public key encryption
• Uses two, mathematically related keys: Public key and
private key
• Sender encrypts message with recipient’s public key
• Recipient decrypts with private key
Encryption
38 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Public/Private Key Encryption
39 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Public/Private Key Encryption
40 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
• Digital certificate:
• Data file used to establish the identity of users and electronic
assets for protection of online transactions
• Uses a trusted third party, certification authority (CA), to
validate a user’s identity
• CA verifies user’s identity, stores information in CA server,
which generates encrypted digital certificate containing
owner ID information and copy of owner’s public key
Digital Certificate
41 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
How Digital Certificates Work
42 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Communication or Network
Controls (continued)
• Virtual private networking
• Secure Socket Layer (now transport layer
security)
• Employee monitoring systems
43 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Virtual Private Network and
Tunneling
44 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Employee Monitoring System
45 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
The Role of Auditing
• MIS audit
• Examines firm’s overall security environment as well as
controls governing individual information systems
• Reviews technologies, procedures, documentation, training,
and personnel.
• May even simulate disaster to test response of technology, IS
staff, other employees.
• Lists and ranks all control weaknesses and estimates
probability of their occurrence.
• Assesses financial and organizational impact of each threat
46 N.Karami, MIS-Spring 2012
Management Information Systems
Securing Information Systems
Graduate School of
Management & Economics
Sample Auditor’s List of Control
WeaknessesThis chart is a
sample page from a
list of control
weaknesses that an
auditor might find
in a loan system in
a local commercial
bank. This form
helps auditors
record and evaluate
control weaknesses
and shows the
results of
discussing those
weaknesses with
management, as
well as any
corrective actions
taken by
management.
Top Related