Securing Information Systems Management Information Systems Managing the

  • Slides: 15
Download presentation
Securing Information Systems Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth

Securing Information Systems Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Chapter 8

 • Security: Policies, procedures and technical measures used to prevent unauthorized access, alteration,

• Security: Policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems • Controls: Methods, policies, and organizational procedures that ensure safety of organization’s assets, accuracy and reliability of its records, and operational adherence to management standards • Why systems are vulnerable? Accessibility of networks Hardware problems (breakdowns, configuration errors, damage from improper use or crime) Software problems (programming unauthorized changes) errors, installation Disasters Use of networks/computers outside of firm’s control Loss and theft of portable devices Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon errors, Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Systems Vulnerability

Internet Vulnerabilities and Wireless Security When internet becomes part of the corporate network, the

Internet Vulnerabilities and Wireless Security When internet becomes part of the corporate network, the organizations information systems are more vulnerable E-mail, P 2 P, IM : Interception, Attachments with malicious software, and Transmitting trade secrets Wi-Fi in public network poses risk since radio frequency is easy to scan SSIDs (service set identifiers) § § Identify wireless access points War driving ○ Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources An intruder that has associated with an access point by using correct SSID is capable of accessing other resources on the network Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Unencrypted VOIP

Malicious Software (Malware) § Rogue software program that attaches itself to other software programs

Malicious Software (Malware) § Rogue software program that attaches itself to other software programs or data files in order to be executed. They deliver payload to computers. Worms § Independent computer programs that copy themselves from one computer to other computers over a network. Trojan horses § Clears the way for viruses Spyware § Small programs install themselves on computers to monitor user Web surfing activity and serve up advertising, to record keystroke that helps to steal account numbers etc. Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Viruses

Hackers Activities include § § § System intrusion System damage Cybervandalism ○ Intentional disruption,

Hackers Activities include § § § System intrusion System damage Cybervandalism ○ Intentional disruption, defacement, destruction of Web site or corporate information system Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Hackers vs. crackers

Types of Hacking Spoofing Misrepresenting oneself (hacker) by using addresses or masquerading as someone

Types of Hacking Spoofing Misrepresenting oneself (hacker) by using addresses or masquerading as someone else fake e-mail Redirecting Web link to address different from intended one, with site masquerading as intended destination • Sniffer Eavesdropping program that monitors information traveling over network Enables hackers to steal proprietary information such as e-mail, company files, etc. • Denial-of-service attacks (Do. S) Flooding server with thousands of false queries to crash the network. This causes a web site to shut down. Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. •

Computer Crime Computer may be target of crime, e. g. : § § Breaching

Computer Crime Computer may be target of crime, e. g. : § § Breaching confidentiality of protected computerized data Accessing a computer system without authority Computer may be instrument of crime, e. g. : § § Theft of trade secrets Using e-mail for threats or harassment Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Defined as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution”

Type of Computer Crime • Identity theft • Phishing Setting up fake Web sites

Type of Computer Crime • Identity theft • Phishing Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data. • Pharming Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser • Click fraud Occurs when individual or computer program fraudulently clicks on online ad without any intention of learning more about the advertiser or making a purchase Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Theft of personal Information (social security id, driver’s license or credit card numbers) to impersonate someone else

Internal Threats: Employees Inside knowledge Sloppy security procedures § Password sharing Social engineering: §

Internal Threats: Employees Inside knowledge Sloppy security procedures § Password sharing Social engineering: § Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Security threats often originate inside an organization

Commercial software contains flaws that create security vulnerabilities § § Hidden bugs (program code

Commercial software contains flaws that create security vulnerabilities § § Hidden bugs (program code defects) ○ Zero defects cannot be achieved because complete testing is not possible with large programs Flaws can open networks to intruders Patches § § Vendors release small pieces of software to repair flaws However exploits often created faster than patches be released and implemented Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Software Vulnerability

 • Information systems controls are both manual and automated controls and consist of

• Information systems controls are both manual and automated controls and consist of general and application controls • General controls Govern the application design (less bugs), security (preventing unauthorized access, alteration), and use of computer programs Govern the security of data files in general throughout organization’s information technology infrastructure. Apply to all computerized applications Combination of hardware, software, and manual procedures to create overall control environment Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Information systems controls

Application controls Specific controls unique to each computerized application, such as payroll or order

Application controls Specific controls unique to each computerized application, such as payroll or order processing § § § Input controls: Check input data for accuracy and completeness Processing controls: Establish that data are complete and accurate during updating Output controls: Check that the results of computer processing are accurate, complete, and properly shown/distributed Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Include:

 • Disaster recovery planning: Devises plans for restoration of computing and communication services

• Disaster recovery planning: Devises plans for restoration of computing and communication services e. g. recovery plan during power outages. This planning focuses on the technical issues for keeping systems up and running. • Business continuity planning: Focuses on restoring business operations after a disaster strikes. Both types of plans need to identify firm’s most critical systems and business processes. Business impact analysis to determine impact of a system outage on business processes Management must determine which systems to restore first Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Disaster recovery and business continuity planning

 • Tools for protection against malware and intruders Firewall: Identifies names, IP addresses,

• Tools for protection against malware and intruders Firewall: Identifies names, IP addresses, applications and other characteristics of incoming traffic Technologies include: Packet filtering, Stateful inspection, address translation (NAT), Application proxy filtering • Network Intrusion detection systems: Monitor hot spots on corporate networks to detect and deter intruders Examines events as they are happening to discover attacks in progress • Antivirus and antispyware software: Checks computers for presence of malware and can often eliminate it as well Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. Combination of hardware and software that prevents unauthorized users from accessing private networks

Securing wireless networks WEP is not very effective since the encryptions keys are static

Securing wireless networks WEP is not very effective since the encryptions keys are static and easy to crack Wi-Fi Alliance finalized Wi-Fi Protected Access 2 (WPA 2) specification, replacing WEP with stronger standards. Encryptions keys are continuously changing Management Information Systems: Managing the Digital Firm, 12 e Authors: Kenneth C. Laudon and Jane P. Laudon Copyright © 2013 Dorling Kindersley (India) Pvt. Ltd. The initial security standard developed for Wi-Fi is called Wired Equivalent Privacy (WEP)