Sunday, April 1, 2012

Chapter 8 - Securing Information Systems

Data is more vulnerable today that it ever has been.  Unauthorized access, abuse, fraud, floods, fires, and power failures, only to name a few, can occur at any access point in the network.  If hardware breaks down or software fails due to errors in programming, improper installation, or unauthorized changes systems become more vulnerable.  The Internet is more vulnerable than private networks because it is available to practically anyone.  The increased use of e-mail, instant messaging (IM), and peer-to-peer file-sharing programs has also caused an increase in vulnerability.  In addition, Bluetooth and Wi-Fi networks are more susceptible to hacking by eavesdroppers. 

Malware, which is malicious software programs, include a variety of threats, such as computer viruses, worms, and Trojan horses.  A computer virus is a rogue software program that attaches itself to other software programs or data files in order to be executed, usually without the user’s knowledge or permission.  Worms are independent computer programs that copy themselves from one computer to other computers over a network.  Worms spread much more quickly than viruses because they operate on their own relying less on human behavior in order to spread.  A Trojan horse is a software program that appears legitimate, but has a hidden motive.  Once installed on computers it allows access so hackers are able to get in and obtain personal information.  SQL injection attacks are the largest malware threat.  They take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company’s systems and networks.  Spyware can also act as malicious software by installing themselves secretively on computers to monitor user Web surfing and serve up advertising.

A hacker is an individual who gains unauthorized access to a computer system by finding weaknesses in the security protections employed by Web sites and computer systems. They often take advantage of various features of the Internet that make it an open system that is easy to use.  They attempt to hide their true identity by misrepresenting themselves by using a fake email address or impersonating as someone else.  This is known as spoofing.  Hackers can use a sniffer to steal proprietary information from anywhere on a network.  This is a type of eavesdropping program that monitors information traveling over a network.  Using a denial-of-service (DoS) attack allows hackers to flood a network server or Web server with many thousands of false communications or requests for services to crash the network.  A distributed denial-of-service (DDoS) attack uses numerous computers to overwhelm the network from numerous launch points. 

Computer crimes have been on the rise with the ease of access.  They can cost companies thousands and thousands of dollars in damage.  They often times go unreported because they may involve employees, or the company fears that publicizing its vulnerability will hurt its reputation.  DoS attacks are the most economically damaging because they introduce viruses, theft of services, and disruption of computer systems. 

Identity theft has also seen an increase with the growth of the Internet and electronic commerce.  This is a crime where an imposter obtains key pieces of personal information and uses it to impersonate someone else.  One common tactic is a form of spoofing known as phishing.  This involves setting up fake Web sites or sending email or text messages that look like those of legitimate businesses to ask users for confidential personal data.  Evil twins and pharming are two types of phishing techniques that are harder to detect.  Evil twins are wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet.  Pharming redirects users to a bogus Web page, even when the user types the correct Web page address into his or her browser.  Click fraud happens when someone fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase. 

Employees pose just as much of a threat to a business as do outsiders.  They have access to privy company information and without proper controls and security in place they may be able to roam throughout the organization’s systems without anyone’s knowledge.  Social engineering is one way to gain access to a company’s networks.  This is tricking people into revealing their passwords by pretending to be legitimate users or members of a company in need of information.  Also, both the end users and the information systems specialists are a major source of errors introduced into information systems.

Software flaws and vulnerability also leads to threats in businesses.  This can lead to losses in productivity.  One problem with software is the presence of hidden bugs or program code defects.  Patches are put on software to correct flaws once they are identified.  This will repair the flaws without disturbing the operation of the software. 

Businesses need to protect their information systems.  Implementing a sound security and control framework can lead to a high return on investment as well as increased employee productivity and lower operational costs.  The government is now requiring businesses to take security and control more seriously by requiring them to protect their data.  HIPPA (Health Insurance Portability and Accountability Act) is used in the health industry.  It outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans.  Firms who provide financial services follow the Gramm-Leach-Bliley Act, which requires these institutions to ensure the security and confidentiality of customer data.  Publicly traded companies follow the Sarbanes-Oxley Act.  It requires management to safeguard the accuracy and integrity of financial information that is used internally and released externally. 

Firms are being required to pay more attention to security and electronic records management because legal actions are requiring electronic evidence and computer forensics.  Electronic evidence includes digital data stored on CDs, computer hard disk drives, instant messages, e-commerce over the Internet, and email which is the most common.  Computer forensics is defined as the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

In order for information systems to be reliable and secure, proper controls must be in place.  General controls manage the design, security, and the use of computer programs and the security of data files in general throughout the organization’s IT infrastructure.  Application controls are unique to each computerized application and include both automated and manual procedures that ensure only authorized data are completely and accurately processed by that application. 

Companies need to know which assets require protection and the extent to which these assets are vulnerable.  Risk assessments determine the most cost-effective set of controls for protecting assets.  It also determines the level of risk to the firm if a specific activity or process is not properly controlled.  Although not all risks can be anticipated or measured, it is necessary to have these controls in place.  Once risks have been assessed, systems builders will concentrate on the control points with the greatest vulnerability and potential for loss.  Then a security policy is developed which ranks information risks, identifies acceptable security goals, and identifies the mechanisms for achieving these goals.

Businesses also need to prepare for disaster and business continuity.  Disaster recovery planning designs plans for the restoration of computing and communications services after they have been disrupted.  It focuses primarily on the technical issues involved in keeping systems up and running.  Business continuity planning is used to help the company restore business operations after a disaster strikes.  It identifies critical business processes and determines action plans for handling mission-critical functions if systems go down.

Audits are performed to make sure management knows that information systems security and controls are effective.  MIS audits examine the firm’s overall security environment and controls governing individual information systems as well as the data quality.  Security audits examine technologies, procedures, documentation, training, and personnel.  Once audits are performed, management is expected to devise a plan for countering significant weaknesses in controls.

Businesses have technologies and tools available to protect their information resources.  These include tools for managing user identities, preventing unauthorized access to systems and data, ensuring system availability, and ensuring software quality.  Identity management software automates the process of keeping track of all users and their systems privileges, assigning each user a unique digital identity for accessing each system.  It also includes tools for authenticating users, protecting user identities, and controlling access to system resources.  Users must be authorized and authenticated to gain access to a system.  Authentication is often established by using a password, token, smart card, or biometric readings.

Tools to protect against unauthorized access to systems and data include firewalls, intrusion detection systems, and antivirus software.  A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic.  It prevents unauthorized users from accessing private networks.  An intrusion detection system is a full-time monitoring tool placed at the most vulnerable points of corporate networks to detect and deter intruders continually.  Antivirus software is designed to check computer systems and drives for the presence of computer viruses.  They must be continually updated to remain effective.

Businesses also use encryption to protect digital information that they store, physically transfer, or send over the Internet.  This is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the intended receiver.  Two methods for encrypting are SSL and S-HTTP.  SSL (Secure Sockets Layer) enable client and server computers to manage encryption and decryption activities as they communicate with each other during a secure Web session.  S-HTTP (Secure Hypertext Transfer Protocol) is a protocol used for encrypting data flowing over the Internet and is limited to individual messages.  Symmetric key encryption is an alternative method of encryption where the sender and receiver establish a secure Internet session by creating a single encryption key and sending it to the receiver so both the sender and receiver share the same key.  Another alternative method is public key encryption.  This uses two keys, one shared (or public) and one totally private.  Digital certificates protect online transactions by providing secure, encrypted, online communication.

Companies use fault-tolerant computer systems to ensure that their systems and applications are always available.  These systems contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service.  High-availability computing attempts to minimize downtime by helping firms recover quickly from a system crash.  Deep packet inspection (DPI) is a technology that examines data files and sorts out low-priority online material while assigning higher priority to business-critical files.  Companies can also outsource many security functions to managed security service providers (MSSPs) that monitor network activity and perform vulnerability testing and intrusion detection. 

Companies can also improve system quality and reliability by employing software metrics and rigorous software testing.  Software metrics are objective assessments of the system in the form of quantified measurements.  Regular and thorough testing will contribute significantly to system quality. 

No comments:

Post a Comment