Chapter 8

Securing Information Systems

Information systems are essential to the operation of modern businesses. However, these systems are
vulnerable to destruction, error, and abuse.

Securing Information Systems is critical to ensuring that businesses can operate effectively and protect
sensitive data.

This chapter will discuss :

- why information systems are vulnerable,

- the business value of security and control,
- the components of an organizational framework for security and control, and
- the tools and technologies for safeguarding information resources.

The term controls refers to all the methods and procedures established by an organization to ensure

- the safety of the organization's resources,

- the reliability of its records, and
- its adherence to laws and ethical requirements.

Why are Information Systems vulnerable to destruction, error, and abuse?

Information systems are vulnerable to destruction, error, and abuse for several reasons.

First, information systems rely on technology that can fail or be vulnerable to attack.

Second, humans are often the weakest link in information security, as they can make mistakes or be
vulnerable to social engineering attacks.

Finally, businesses often collect and store sensitive data, making them a target for cybercriminals.

Malware is a type of software that is designed to harm computer systems or networks.

There are several types of malware, including viruses, worms, Trojan horses, SQL injection attacks,
ransomware, spyware, and others.

Viruses are a type of malware that spreads by infecting other files or programs. Once a virus infects a
system, it can replicate itself and cause damage to files, programs, or the entire system.

Worms are similar to viruses but do not require a host program to spread. Instead, worms can replicate
themselves and spread across networks or the internet, causing damage to multiple systems.

Trojan horses are a type of malware that disguises itself as a legitimate program or file, but once it is
installed on a system, it can cause damage or give an attacker access to the system.

SQL injection attacks are a type of malware that targets databases and web applications. Attackers use
malicious code to inject SQL statements into a web application, allowing them to access and manipulate
data in the database.
Ransomware is a type of malware that encrypts files on a system and demands payment in exchange for
the decryption key. Ransomware attacks have become increasingly common in recent years, with
attackers targeting businesses and individuals.

Spyware is a type of malware that is designed to gather information from a system without the user's
knowledge or consent. Spyware can track keystrokes, capture screenshots, and collect other sensitive
information.

Other types of malware include adware, which displays unwanted ads or pop-ups, and rootkits, which
allow attackers to gain privileged access to a system and remain hidden from detection.

To protect against malware, it is important

- to use antivirus software,

- keep systems and software up to date with security patches, and
- practice safe browsing habits such as avoiding suspicious websites or email attachments.
- It is also important to regularly back up important data to protect against ransomware attacks.

The Business Value of Security and Control

The business value of security and control is significant.

Effective security and control measures can

- help businesses protect sensitive data,

- avoid legal and regulatory penalties, and
- maintain the trust of customers and partners.
- Additionally, strong security measures can help businesses operate more efficiently and
- reduce the risk of downtime and other disruptions.

Security challenges that threaten corporate information systems include

- possible theft of data,

- possible copying of data by employees or clients,
- alteration of data (either intentional or unintentional), and
- failure of the hardware of the organization, such as its computer network.

Components of an Organizational Framework for Security and Control

An organizational framework for security and control should include several key components. These
include:

 Policies and Procedures: Policies and procedures provide a framework for security and control,
outlining the rules and expectations for employees and other stakeholders. Companies very
often try to rationalize their procedures to combine steps in a business process, reduce
bottlenecks, and thus improve efficiency.

 Risk Management: Risk management involves identifying potential risks and implementing
measures to mitigate or avoid them.
  Access Controls: Access controls ensure that only authorized users can access sensitive data and
systems.

 Physical Security: Physical security measures protect the physical assets of a business, such as
servers and data centers.

 Incident Management: Incident management involves responding to security incidents,

including data breaches and other security breaches.

Tools and Technologies for Safeguarding Information Resources

Several tools and technologies can be used to safeguard information resources. These include:

 Firewalls: Firewalls are used to prevent unauthorized access to a business's network.

 Encryption: Encryption is used to protect sensitive data by converting it into an unreadable

format.

 Antivirus Software: Antivirus software is used to detect and remove malware from a business's
systems.

 Intrusion Detection Systems: Intrusion detection systems are used to monitor a business's
network for signs of unauthorized access or other security threats.

 Virtual Private Networks (VPNs): VPNs are used to encrypt and secure data transmitted over
the internet.

Security threats include

- spyware,
- phishing scams, and
- farming scams.

Spyware plants a program on a user's hard drive that tracks the person's internet usage.

Phishing scams send emails purporting to be from reputable companies, like banks, to induce recipients
to reveal personal information such as passwords and credit card numbers.

Farming scams redirect users to a fraudulent website even when the user has typed in the correct
address in the web browser.

For example, in 2016, a series of cyberattacks were launched against the SWIFT global banking network,
resulting in the theft of millions of dollars from several major financial institutions. The attackers used
sophisticated techniques to gain access to the SWIFT system and transfer funds to their own accounts.

The first attack occurred in February 2016 when hackers infiltrated the Bangladesh bank's computer
systems and stole $81 million.

The attackers had gained access to the SWIFT messaging system, which is used by banks to
communicate with each other and transfer funds. They used stolen credentials to send fraudulent
messages to the New York Federal Reserve Bank, requesting the transfer of funds from the Bangladesh
Bank’s account to several other accounts. The attack was initially successful, with the funds being
transferred to accounts in the Philippines and Sri Lanka. However, a typo in one of the fraudulent
messages alerted the Bangladesh Bank to the fraud, and they were able to stop the transfer of an
additional $870 million.

In May 2016, a similar attack was launched against the Tien Phong Bank in Vietnam, resulting in the loss
of $10 million. Again, the attackers had gained access to the bank’s SWIFT system and used fraudulent
messages to transfer funds to accounts in other countries.

Over the course of the year, several more banks were targeted in similar attacks, including banks in
Ecuador, Ukraine, and the Philippines. In total, it is estimated that the attackers stole over $100 million.

The attacks were attributed to a group of hackers believed to be based in North Korea. The group,
known as the Lazarus Group, has been linked to several other high-profile cyberattacks, including the
2014 attack on Sony Pictures.

The attacks highlighted the vulnerability of the global banking system to cyberattacks and raised
concerns about the security of the SWIFT network.

In response, SWIFT implemented new security measures and urged member banks to improve their own
security practices.

The attacks also underscored the importance of cybersecurity in the financial industry and the need for
continued vigilance and investment in cybersecurity measures.