Week-13

Information Systems (IS) Security and Control

 Introduction to Information Security


With the rapid importance of using Information
Systems nowadays, the security of information
becomes more and more vulnerable.

Security is the main concern nowadays, due to
alots of cybercrime and data sabotage over the
Internet

Due to insecurity in every aspect of life, we
need to worry about how to protect our
information systems from outside hackers and
attackers.
 Security Threats & Technologies
Security Threats
Today we hear about many security breaches that affect
organizations and individuals. Some recently in the news:
• Identity Theft – gaining access to some ones personal
information allowing them to imitate you (stolen laptop)
• Denial of Service – attacks on websites using zombie
computers that overwhelm the site and shuts it down
• Others: Spyware, Spam, Wireless Access, Viruses

Security Technologies
Companies and research organizations continue to develop and
refine technologies to prevent security breaches. Some Include:
• Firewalls
• Biometrics
• VPN and Encryption
3
Security Threat: Spyware, Spam, and Cookies
Spyware
Any software that covertly gathers information about a user
through an Internet connection without the users knowledge
• Problems: uses memory resources, uses bandwidth, and can
cause system instability
• Prevention: Firewalls and Spyware software

Spam
Electronic junk mail or junk newsgroup postings usually for
purpose of advertising for some product and/or service
• Problems: nuisance, wastes time deleting, uses storage
• Prevention: Spam Blocker software

Cookies
A message passed to a browser from a Web server. Used by
legitimate programs to store state and user information
• Problems: can be used to track user activities
• Prevention: browser settings, firewall
4
Security Technology: Biometrics

Biometrics
• A sophisticated authentication
technique used to restrict access to
systems, data and/or facilities
• Uses biological characteristics to
identify individuals such as
fingerprints, retinal patterns in the
eye, etc. that are not easily
counterfeited
• Has great promise in providing high
security

5
 Security Threat: Access to Wireless
Unauthorized Access to Wireless Networks
With the prevalence in use of wireless networks this threat is
increasing
• Problems - Drive-by hacking an attacker accesses the
network, intercepts data from it, and can use network services
and/or sends attack instructions without entering the building
• Prevention - Encryption between network and user devices

6
 Security Technology: VPN and Encryption
VPN (Virtual Private Network)
• Called a secure tunnel
• Dynamically generated network connection to connect users or
nodes
• This approach uses both authentication and encryption
• Used extensively for remote access by employees

Encryption
• The process of encoding messages before they enter the network or
airwaves, and then decoding at the receiving end
• Public Key - known and used to scramble messages
• Private Key - not known and used by receiver to descramble
• Certificate Authority – a third party that issues keys
7
 IS Vulnerability and Abuse

As our society and the world itself come to depend on computers and
information systems more and more, systems must become more reliable.
The systems must also be more secure when processing transactions and
maintaining data. These two issues, which we address in this week, are the
biggest issues facing those wanting to do business on or expand their
operations to the Internet. The threats are real, but so are the solutions.

Why Systems Are Vulnerable

This table points out some of the technical, organizational, and
environmental threats to Information Systems.

The weakest link in the chain is poor management of the system. If
managers at all levels don't make security and reliability their number one
priority, then the threats to an Information Systems can easily become real.

With distributed computing used extensively in network systems, you have
more points of entry, which can make attacking the system easy. The more
people you have using the system, the more potential for fraud and abuse of
the information maintained in that system.

Yes, it's hard to control everyone's actions. It's easy for people to say that
they are only one person and therefore they won't make much difference.
But it only takes one person to disable a system or destroy data. Let's see
why.
Hardware failure Fire
Software failure Electrical problem
Personnel actions User errors
Terminal access penetration Program changes
Theft of data, services, equipment Telecommunications problems

Table: Threats to computerized Information Systems


Hackers, those who intentionally create havoc (crime-
disturbance) or do damage to a computer system, have been
around for a long time.

Many companies don't report hackers attempts to enter their
systems because they don't want people to realize their
systems are vulnerable.

That makes gathering real statistics about hacking attempts and
successes hard. It is a huge problem, though.
 Reasons For Hacking

Theft of services: The first reason is theft of
service, if a system offers some type of
service and a hacker has a use for it, they
will hack the system. Examples of such
systems are on-line information networks
(CompuServe, AOL etc)

Take valuable files: The second reason a
hacker may hack into a system is to take
valuable files, e.g., Credit card numbers, or
info on operation of telecommunication
systems

Vengeance and hate: another reason for hacking
is vengeance and hatred

E.g. Hacker pillaged US files to sell secrets
Saddam

Thrill and excitement: The fourth reason hackers
break into systems is for the thrill and excitement
of being somewhere you are not authorized to be

Knowledge and experiment: The final reason why
hackers do what they do is just for knowledge and
experiment. Hackers learn a great deal every
time they break into a new type of system
 Melissa Virus

In March 1999 a virus called Melissa was written by a hacker and
sent out via an email attachment. While the virus didn't damage any
computer files or data, it severely hampered normal operations of
many companies and Internet Service Providers through the
increased number of emails it generated. Here's what CERT
(Computer Emergency Response Team) said about it on its Web site
(http://www.cert.org/): "Melissa was different from other macro
viruses because of the speed at which it spread. The first confirmed
reports of Melissa were received on Friday, March 26, 1999. By
Monday, March 29, it had reached more than 100,000 computers.
Some sites had to take their mail systems off-line. One site reported
receiving 32,000 copies of mail messages containing Melissa on their
systems within 45 minutes."

Whether you use a stand-alone PC or your computer is attached to a
network, you're just asking for trouble if you don't have antivirus
software. This type of software checks every incoming file for
viruses. Not if, but when, you receive an infected file, the software
alerts you to its presence. You can choose to delete the file or "clean"
it. Make sure you update your antivirus software every 30 to 60 days
because new viruses are constantly being written and passed around
Potential Destruction concerns with IS Builders and
Users

Every user must be concerned about potential destruction of
the Information Systems on which they rely. We can't stress this
point enough. Let us look at three concerns: disasters,
security, and errors.

Natural disasters such as fires and earthquakes can strike at
any time. A spilled cup of coffee can also do some damage!

As the text points out, many companies create fault-tolerant
systems that are used as back-ups to help keep operations
running if the main system should go out. These back-up
systems add to the overall cost of the system.

Just imagine what would happen if an airline reservation system
(a typical online transaction processing system) went down, due
to catastrophic attack (thundering), fire or power loss etc.

Companies spend a lot of money on physical security such as
locks on doors or fences around supply depots. They need to
do the same thing on their Information Systems. Here the
security is in the policies, procedures, and technical
measures the company uses to keep out unauthorized
users or prevent physical damage to the hardware

Surely you've heard the saying, "Garbage In, Garbage Out."
What may seem like a simple error to you may not be to the
customer. Let's flip that around; what if you wanted to fly to
Dallas on March 15 and the reservation clerk booked you on a
flight for April 15? The potential for error exists all through the
processing cycle.

You must be aware of these error points when designing and
building a system, especially an end-user developed system.
 Creating Computer Operations controls

How do you help prevent some of the problems we've discussed?

One of the best ways is to introduce controls into your Information System

For e.g. Think about what a typical company does when it builds a new
office building. From the beginning of the design phase until the building is
occupied, the company decides how the physical security of the building and
its occupants will be handled. It builds locks into the doors, maybe even
designs a single entry control point. It builds a special wing for the executive
offices that has extra-thick bulletproof glass. Fences around the perimeter of
the building control the loading docks.

These are just a few examples to get you to think about the fact that the
company designs the security into the building from the beginning. You
should do the same thing with an Information System.

Let's look at the two distinct types of controls:

General Controls, which focus on the design, security and use of computer
programs and data files.

Application Controls, which are concerned with the actual application
programs.
 Data Security controls


Data security controls should consist of passwords that allow
only certain people access to the system or to certain areas of
the system.

While you may want to grant employees access to their payroll
data or 401K data through an Intranet, you must make sure
they can access only their information and not that of any other
employee. You wouldn't want a co-worker to be able to access
your paycheck information, would you?

If you allow employees to keep certain data on their machines
that are not backed up to the mainframe computer, you need to
ensure that safeguards are installed on the individual PCs.
Make sure you have controls in place for access to individual
data, backing them up, and properly protecting them against
corruption. Do you even have a policy about whether
employees can store data on their individual terminals?
Fig 13.2: Personnel system security profiles.
 Prevention


Security Profiles -- Build personal Data security profiles.

Object Security -- Enable individualized object security access
permissions.

Antivirus -- Install antivirus programs.

Firewalls -- Install and enable firewall support.

Change passwords – Change passwords regularly, atleast
once in a week.

No Disk Sharing -- Viruses can be transferred to clean
computers by inserting disks containing infected files.

Delete Suspicious Email Messages -- Do not open suspicious
e-mail messages…Delete Only!

Create Security Logs -- Review system logs to notice access
to the system
 Administrative controls

To properly execute and enforce all these controls, you have to
have administrative controls--rules, procedures, standards, and
discipline.

You don't want to wait until disaster strikes, until a hacker
destroys data, or an employee steals information and gives it to
the competition, to realize you weren't paying attention to what's
going on.
 Application controls

We've talked about controls for the general use of an
Information System.

Application controls are specific controls within each computer
application used in the system.

Each activity in the system needs controls to ensure the
integrity of the data input, how it's processed, and how it's
stored and used.
 Input controls

Are the data accurate and complete? We used an example
earlier of a course grade being entered incorrectly. “If your
system had a method to check the data on the input
documents against the actual data entered into the system,
this kind of error could be caught and corrected at the time
it was entered”. Many companies are using source data
automation to help eliminate input errors.

Managers can use control totals to determine that the
documents used to enter data equal the number of transactions
processed by the system.

For instance, if the Sales Department says it entered data from
1,500 documents on April 21, were 1,500 transactions actually
processed by the system that same day? If the number is
different, managers can investigate the discrepancy and
determine the cause of the mismatch.
 Processing controls

As the name describes, “processing controls are used
during the actual processing of the data”.

If Suzy says she entered 100 items into the system on
Tuesday, your application program would have a method of
checking and reporting the actual number of data entries for
that day. Not that you think Suzy is lying; you just need to have
a method of verifying and reconciling (accommodating) data
entered against data processed.

If Sam mistakenly submitted two invoices for the same
customer on the same day with the same parts ordered, a
computer matching control would catch the discrepancy
(disagreement) and create a report that can be used to
investigate the error. Perhaps the customer really did order the
same part twice on the same day. More than likely it is an error
that's better caught before it causes an embarrassing incident
for the company.
 Output controls

Is the information created from the data accurate, complete,
and properly distributed? “Output controls can verify who
gets the output”, and if they're authorized to use it. You can
also use output controls to match the number of transactions
input, the number of transactions processed, and the number of
transactions output.

Maybe there's a glitch in the system somewhere that is causing
transactions to be recorded twice on the data storage device.
Obviously that's a situation the company should know about
before customers report it. Output controls can help you
uncover this kind of discrepancy