Data is more vulnerable today that it ever has
been. Unauthorized access, abuse, fraud,
floods, fires, and power failures, only to name a few, can occur at any access
point in the network. If hardware breaks
down or software fails due to errors in programming, improper installation, or
unauthorized changes systems become more vulnerable. The Internet is more vulnerable than private
networks because it is available to practically anyone. The increased use of e-mail, instant
messaging (IM), and peer-to-peer file-sharing programs has also caused an
increase in vulnerability. In addition,
Bluetooth and Wi-Fi networks are more susceptible to hacking by eavesdroppers.
Malware, which is malicious software programs,
include a variety of threats, such as computer viruses, worms, and Trojan
horses. A computer virus is a rogue
software program that attaches itself to other software programs or data files
in order to be executed, usually without the user’s knowledge or
permission. Worms are independent
computer programs that copy themselves from one computer to other computers
over a network. Worms spread much more
quickly than viruses because they operate on their own relying less on human
behavior in order to spread. A Trojan
horse is a software program that appears legitimate, but has a hidden
motive. Once installed on computers it
allows access so hackers are able to get in and obtain personal
information. SQL injection attacks are
the largest malware threat. They take
advantage of vulnerabilities in poorly coded Web application software to
introduce malicious program code into a company’s systems and networks. Spyware can also act as malicious software by
installing themselves secretively on computers to monitor user Web surfing and
serve up advertising.
A hacker is an individual who gains
unauthorized access to a computer system by finding weaknesses in the security
protections employed by Web sites and computer systems. They often take advantage
of various features of the Internet that make it an open system that is easy to
use. They attempt to hide their true
identity by misrepresenting themselves by using a fake email address or
impersonating as someone else. This is
known as spoofing. Hackers can use a
sniffer to steal proprietary information from anywhere on a network. This is a type of eavesdropping program that
monitors information traveling over a network.
Using a denial-of-service (DoS) attack allows hackers to flood a network
server or Web server with many thousands of false communications or requests
for services to crash the network. A
distributed denial-of-service (DDoS) attack uses numerous computers to
overwhelm the network from numerous launch points.
Computer crimes have been on the rise with the
ease of access. They can cost companies
thousands and thousands of dollars in damage.
They often times go unreported because they may involve employees, or
the company fears that publicizing its vulnerability will hurt its
reputation. DoS attacks are the most
economically damaging because they introduce viruses, theft of services, and
disruption of computer systems.
Identity theft has also seen an increase with
the growth of the Internet and electronic commerce. This is a crime where an imposter obtains key
pieces of personal information and uses it to impersonate someone else. One common tactic is a form of spoofing known
as phishing. This involves setting up
fake Web sites or sending email or text messages that look like those of
legitimate businesses to ask users for confidential personal data. Evil twins and pharming are two types of phishing
techniques that are harder to detect.
Evil twins are wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet. Pharming
redirects users to a bogus Web page, even when the user types the correct Web
page address into his or her browser. Click fraud happens when someone fraudulently
clicks on an online ad without any intention of learning more about the
advertiser or making a purchase.
Employees pose just as much of a threat to a
business as do outsiders. They have
access to privy company information and without proper controls and security in
place they may be able to roam throughout the organization’s systems without
anyone’s knowledge. Social engineering
is one way to gain access to a company’s networks. This is tricking people into revealing their
passwords by pretending to be legitimate users or members of a company in need
of information. Also, both the end users
and the information systems specialists are a major source of errors introduced
into information systems.
Software flaws and vulnerability also leads to threats
in businesses. This can lead to losses
in productivity. One problem with
software is the presence of hidden bugs or program code defects. Patches are put on software to correct flaws
once they are identified. This will
repair the flaws without disturbing the operation of the software.
Businesses need to protect their information
systems. Implementing a sound security
and control framework can lead to a high return on investment as well as
increased employee productivity and lower operational costs. The government is now requiring businesses to
take security and control more seriously by requiring them to protect their
data. HIPPA (Health Insurance
Portability and Accountability Act) is used in the health industry. It outlines medical security and privacy
rules and procedures for simplifying the administration of health care billing
and automating the transfer of health care data between health care providers,
payers, and plans. Firms who provide
financial services follow the Gramm-Leach-Bliley Act, which requires these
institutions to ensure the security and confidentiality of customer data. Publicly traded companies follow the
Sarbanes-Oxley Act. It requires
management to safeguard the accuracy and integrity of financial information
that is used internally and released externally.
Firms are being required to pay more attention
to security and electronic records management because legal actions are
requiring electronic evidence and computer forensics. Electronic evidence includes digital data
stored on CDs, computer hard disk drives, instant messages, e-commerce over the
Internet, and email which is the most common.
Computer forensics is defined as the scientific collection, examination,
authentication, preservation, and analysis of data held on or retrieved from
computer storage media in such a way that the information can be used as
evidence in a court of law.
In order for information systems to be reliable
and secure, proper controls must be in place.
General controls manage the design, security, and the use of computer
programs and the security of data files in general throughout the
organization’s IT infrastructure.
Application controls are unique to each computerized application and
include both automated and manual procedures that ensure only authorized data
are completely and accurately processed by that application.
Companies need to know which assets require
protection and the extent to which these assets are vulnerable. Risk assessments determine the most
cost-effective set of controls for protecting assets. It also determines the level of risk to the
firm if a specific activity or process is not properly controlled. Although not all risks can be anticipated or
measured, it is necessary to have these controls in place. Once risks have been assessed, systems
builders will concentrate on the control points with the greatest vulnerability
and potential for loss. Then a security
policy is developed which ranks information risks, identifies acceptable
security goals, and identifies the mechanisms for achieving these goals.
Businesses also need to prepare for disaster
and business continuity. Disaster
recovery planning designs plans for the restoration of computing and
communications services after they have been disrupted. It focuses primarily on the technical issues
involved in keeping systems up and running.
Business continuity planning is used to help the company restore
business operations after a disaster strikes.
It identifies critical business processes and determines action plans
for handling mission-critical functions if systems go down.
Audits are performed to make sure management
knows that information systems security and controls are effective. MIS audits examine the firm’s overall security
environment and controls governing individual information systems as well as
the data quality. Security audits
examine technologies, procedures, documentation, training, and personnel. Once audits are performed, management is
expected to devise a plan for countering significant weaknesses in controls.
Businesses have technologies and tools
available to protect their information resources. These include tools for managing user identities,
preventing unauthorized access to systems and data, ensuring system
availability, and ensuring software quality.
Identity management software automates the process of keeping track of
all users and their systems privileges, assigning each user a unique digital
identity for accessing each system. It
also includes tools for authenticating users, protecting user identities, and
controlling access to system resources.
Users must be authorized and authenticated to gain access to a
system. Authentication is often
established by using a password, token, smart card, or biometric readings.
Tools to protect against unauthorized access to
systems and data include firewalls, intrusion detection systems, and antivirus
software. A firewall is a combination of
hardware and software that controls the flow of incoming and outgoing network
traffic. It prevents unauthorized users
from accessing private networks. An
intrusion detection system is a full-time monitoring tool placed at the most
vulnerable points of corporate networks to detect and deter intruders
continually. Antivirus software is
designed to check computer systems and drives for the presence of computer
viruses. They must be continually
updated to remain effective.
Businesses also use encryption to protect
digital information that they store, physically transfer, or send over the
Internet. This is the process of
transforming plain text or data into cipher text that cannot be read by anyone
other than the sender and the intended receiver. Two methods for encrypting are SSL and
S-HTTP. SSL (Secure Sockets Layer)
enable client and server computers to manage encryption and decryption
activities as they communicate with each other during a secure Web
session. S-HTTP (Secure Hypertext
Transfer Protocol) is a protocol used for encrypting data flowing over the
Internet and is limited to individual messages.
Symmetric key encryption is an alternative method of encryption where
the sender and receiver establish a secure Internet session by creating a
single encryption key and sending it to the receiver so both the sender and
receiver share the same key. Another
alternative method is public key encryption.
This uses two keys, one shared (or public) and one totally private. Digital certificates protect online
transactions by providing secure, encrypted, online communication.
Companies use fault-tolerant computer systems
to ensure that their systems and applications are always available. These systems contain redundant hardware,
software, and power supply components that create an environment that provides
continuous, uninterrupted service.
High-availability computing attempts to minimize downtime by helping
firms recover quickly from a system crash.
Deep packet inspection (DPI) is a technology that examines data files
and sorts out low-priority online material while assigning higher priority to
business-critical files. Companies can
also outsource many security functions to managed security service providers
(MSSPs) that monitor network activity and perform vulnerability testing and
intrusion detection.
Companies can also improve system quality and
reliability by employing software metrics and rigorous software testing. Software metrics are objective assessments of
the system in the form of quantified measurements. Regular and thorough testing will contribute
significantly to system quality.
No comments:
Post a Comment