Chapter 5

Securing Information
Systems

8.1 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

LEARNING OBJECTIVES

• Explain why information systems are vulnerable to

destruction, error, and abuse.
• Assess the business value of security and control.
• Identify the components of an organizational
framework for security and control.
• Evaluate the most important tools and technologies
for safeguarding information resources.

8.2 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Security:
• Policies, procedures and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to
information systems

• Controls:
• Methods, policies, and organizational procedures that ensure
safety of organization’s assets; accuracy and reliability of its
accounting records; and operational adherence to
management standards

8.3 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Why systems are vulnerable

• Hardware problems
• Breakdowns, configuration errors, damage from improper
use or crime
• Software problems
• Programming errors, installation errors, unauthorized
changes)
• Disasters
• Power failures, flood, fires, etc.
• Use of networks and computers outside of
firm’s control
• E.g., with domestic or offshore outsourcing vendors

8.4 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Internet vulnerabilities
• Network open to anyone

• Size of Internet means abuses can have wide impact

• Use of fixed Internet addresses with permanent

connections to Internet eases identification by hackers

• E-mail attachments

• E-mail used for transmitting trade secrets

8.5 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Wireless security challenges

• Radio frequency bands easy to scan
• SSIDs (service set identifiers)
• Identify access points
• Broadcast multiple times
• War driving
• Eavesdroppers drive by buildings and try to intercept network traffic
• When hacker gains access to SSID, has access to network’s
resources
• WEP (Wired Equivalent Privacy)
• Security standard for 802.11
• Basic specification uses shared password for both users and access
point
• Users often fail to use security features

8.6 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

Wi-Fi Security Challenges

Figure 8-2
Many Wi-Fi networks can be
penetrated easily by intruders
using sniffer programs to obtain
an address to access the
resources of a network without
authorization.

8.7 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

The Worst Data Theft Ever?

• Read the Interactive Session: Organizations and then
discuss the following questions:
• List and describe the security control weaknesses at TJX
Companies
• What management, organization, and technology factors
contributed to these weaknesses?
• What was the business impact of TJX’s data loss on TJX,
consumers, and banks?
• How effectively did TJX deal with these problems?
• Who should be held liable for the losses caused by the use of
fraudulent credit cards in this case? The banks issuing the
cards or the consumers? Justify your answer.
• What solutions would you suggest to prevent the problems?

8.8 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Malicious software (malware)

• Viruses: Rogue software program that attaches itself to other
software programs or data files in order to be executed
• Worms: Independent computer programs that copy themselves from
one computer to other computers over a network
• Trojan horses: Software program that appears to be benign but
then does something other than expected

• Spyware: Small programs install themselves surreptitiously on

computers to monitor user Web surfing activity and serve up
advertising

• Key loggers: Record every keystroke on computer to steal

serial numbers, passwords, launch Internet attacks

8.9 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Hackers and computer crime

• Hackers vs. crackers
• Activities include
• System intrusion
• Theft of goods and information
• System damage
• Cybervandalism
• Intentional disruption, defacement,
destruction of Web site or corporate
information system
8.10 © 2010 by Prentice Hall
 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Spoofing
• Misrepresenting oneself by using fake e-mail addresses or
masquerading as someone else
• Redirecting Web link to address different from intended one,
with site masquerading as intended destination
• Sniffer: Eavesdropping program that monitors information
traveling over network
• Denial-of-service attacks (DoS): Flooding server with
thousands of false requests to crash the network
• Distributed denial-of-service attacks (DDoS): Use of
numerous computers to launch a DoS
• Botnets: Networks of “zombie” PCs infiltrated by bot malware

8.11 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Computer crime
• Defined as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration,
investigation, or prosecution”
• Computer may be target of crime, e.g.:
• Breaching confidentiality of protected computerized data
• Accessing a computer system without authority
• Computer may be instrument of crime, e.g.:
• Theft of trade secrets
• Using e-mail for threats or harassment

8.12 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Identity theft: Theft of personal Information (social security id,

driver’s license or credit card numbers) to impersonate someone
else
• Phishing: Setting up fake Web sites or sending e-mail
messages that look like legitimate businesses to ask users for
confidential personal data.
• Evil twins: Wireless networks that pretend to offer trustworthy
Wi-Fi connections to the Internet
• Pharming: Redirects users to a bogus Web page, even when
individual types correct Web page address into his or her browser

8.13 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Click fraud
• Individual or computer program clicks online ad
without any intention of learning more or making a
purchase.

8.14 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

System Vulnerability and Abuse

• Software vulnerability
• Commercial software contains flaws that create
security vulnerabilities
• Hidden bugs (program code defects)
• Zero defects cannot be achieved because complete
testing is not possible with large programs
• Flaws can open networks to intruders
• Patches
• Vendors release small pieces of software to repair flaws
• However, amount of software in use can mean exploits
created faster than patches be released and implemented

8.15 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

Business Value of Security and Control

• Lack of security, control can lead to

• Loss of revenue
• Failed computer systems can lead to significant or
total loss of business function
• Lowered market value:
• Information assets can have tremendous value
• A security breach may cut into firm’s market value
almost immediately
• Legal liability
• Lowered employee productivity
• Higher operational costs

8.16 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

Business Value of Security and Control

• Electronic evidence
• Evidence for white collar crimes often found in
digital form
• Data stored on computer devices, e-mail, instant messages,
e-commerce transactions
• Proper control of data can save time, money when
responding to legal discovery request
• Computer forensics:
• Scientific collection, examination, authentication, preservation,
and analysis of data from computer storage media for use as
evidence in court of law
• Includes recovery of ambient and hidden data

8.17 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control

• Application controls
• Specific controls unique to each computerized application,
such as payroll or order processing
• Include both automated and manual procedures
• Ensure that only authorized data are completely and
accurately processed by that application
• Types of application controls:
• Input controls
• Processing controls
• Output controls

8.18 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control

• Risk assessment
• Determines level of risk to firm if specific activity or process is
not properly controlled
• Types of threat
• Probability of occurrence during year
• Potential losses, value of threat
• Expected annual loss

EXPOSURE PROBABILITY LOSS RANGE (AVERAGE) EXPECTED

ANNUAL LOSS

Power failure 30% $5K - $200K ($102,500) $30,750

Embezzlement 5% $1K - $50K ($25,500) $1,275

User error 98% $200 - $40K ($20,100) $19,698

8.19 © 2010 by Prentice Hall

 Management Information Systems
Chapter 8 Securing Information Systems

Establishing a Framework for Security and Control

• Disaster recovery planning: Devises plans for

restoration of disrupted services
• Business continuity planning: Focuses on restoring
business operations after disaster
• Both types of plans needed to identify firm’s most
critical systems and business processes
• Business impact analysis to determine impact of an outage
• Management must determine
• Maximum time systems can be down
• Which systems must be restored first

8.20 © 2010 by Prentice Hall