Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
8-1
Chapter 8
Securing Information Systems
Student Learning Objectives
1. Why are information systems vulnerable to destruction, error, and abuse?
2. What is the business value of security and control?
3. What are the components of an organizational framework for security and
control?
4. What are the most important tools and technologies for safeguarding information
resources?
Learning Catalytics is a “bring your own device” student engagement, assessment, and
classroom intelligence system. It allows instructors to engage students in class with real-
time diagnostics. Students can use any modern, Web-enabled device (smartphone, tablet,
or laptop) to access it. For more information on using Learning Catalytics in your course,
contact your Pearson Representative.
Key Terms
The following alphabetical list identifies the key terms discussed in this chapter. The
page number for each key term is provided.
Acceptable use policy (AUP), 323
Information systems audit, 325
Antivirus software, 329
Intrusion detection systems, 329
Application controls, 321
Key loggers, 311
Computer crime, 312
Phishing, 313
Computer forensics, 320
Public key encryption, 331
Computer virus, 308
Public key infrastructure (PKI), 332
Controls, 306
Ransomware, 310
Cybervandalism, 311
Risk assessment, 332
Cyberwarfare, 317
Sarbanes-Oxley Act, 319
Deep packet inspection, 332
Secure Hypertext Transfer Protocol (S-HTTP), 330
Denial-of-service (DoS) attack, 312
Secure Sockets Layer (SSL), 330
8-2
Digital certificates, 331
Security, 306
Disaster recovery planning, 324
Security policy, 323
Distributed denial-of-service (DDoS)
attack, 312
Smart card, 326
Downtime, 332
Sniffer, 311
Drive-by download, 309
Social engineering, 317
Teaching Suggestions
The opening case, “The 21st Century Bank Heist” demonstrates the need to continuously
upgrade and improve security in technology. Magnetic strips on credit cards are an over
four-decade old technology that much of the developed world has abandoned because
they are so vulnerable to counterfeit replication and theft via handheld card skimmers.
However, banks and merchants have deemed replacement technology too expensive to
install.
Using commercially-available card encoders attached via USB ports to laptops and PCs,
the built-in software was used to enter account data. The thieves swiped plastic cards
8-3
Section 8.1, “Why are information systems vulnerable to destruction, error, and
abuse?” With data concentrated in electronic form and many procedures invisible
through automation, computerized information systems are vulnerable to destruction,
misuse, error, fraud, and hardware or software failures. Corporate systems using the
Interactive Session: Management: Target Becomes the Target for Massive Data
Theft
Case Study Questions:
1. List and describe the security and control weaknesses at Target that are
discussed in this case.
Target had prepared for what turned out to be the one of the largest data thefts in history.
It had a huge information security staff with more than 300 people. Six months before the
attack it began installing the powerful $1.6 million FireEye malware detection platform.
2. What management, organization, and technology factors contributed to these
problems? How much was management responsible?
8-4
Management: Even with 300 people on the information security staff, and a powerful
malware detection platform installed, management allowed key parts of the detection
software to be turned off. Beth Jacob, the Target CIO at the time of the attack, resigned in
3. What was the business impact of Target data losses on Target and its customers?
Target sales dropped 5.3 percent in the fourth quarter of 2013 when the breach occurred
while its profit fell 46 percent. Profits continued to fall in early 2014 due to continuing
4. What solutions would you suggest to prevent these problems?
Do not turn off key features of security software that are designed to detect intrusions
into the system. The security team needs to address threats more often than once a month
Section 8.2, “What is the business value of security and control?” Security and control
are important but often neglected areas for information systems investments. The
majority of companies today are naïve about how vulnerable their assets are. When
8-5
Section 8.3, “What are the components of an organizational framework for security
and control?” Firms must use appropriate technologies to effectively protect their
information resources. The best place to start is by establishing a well-defined set of
general and application control. Ask your students to research what types of security and
controls methods are employed by their university or workplace. In groups, ask them to
present their findings in class.
Security policies and acceptable use policies are only as good as their enforcement. Many
Section 8.4, “What are the most important tools and technologies for safeguarding
information resources?” Although students or their employers may say they want
software quality or controls in information systems, few want to be bothered with the
extra steps that quality assurance requires, or the limits on their freedom, funds, and extra
time it takes to install controls and security.
Discuss with students how biometrics, such as the use of fingerprint imaging, retinal
8-6
Interactive Session: Technology: BYOD: It’s Not So Safe
Case Study Questions
1. It has been said that a smartphone is a microcomputer in your hand. Discuss the
security implications of this statement.
Smartphones have many of the same computing features and capabilities as any laptop,
desktop, or client/server computing network, making them as vulnerable to malware.
2. What management, organizational, and technology factors must be addressed by
smartphone security?
Management: One of the biggest problems with people using their personal smartphones
to access corporate data is that they lose the devices. They aren’t diligent about protecting
Organizational: Cloud services are causing continually escalating problems because
employees are not careful about what documents they upload to the “open” services.
Some free cloud services such as Dropbox and Google Drive are more open to
8-7
3. What problems do smartphone security weaknesses cause for businesses?
Smartphones of all kinds are susceptible to browser-based malware that takes advantage
of vulnerabilities in all browsers. In addition, most smartphones, including the iPhone,
permit the manufacturers to remotely download configuration files to update operating
systems and security protections.
4. What steps can individuals and businesses take to make their smartphones more
secure?
First of all, and most importantly, employees using their personal devices on the job need
to protect them more—both from theft and accidental access.
Review Questions
8-1 Why are information systems vulnerable to destruction, error, and abuse?
List and describe the most common threats against contemporary information
systems.
The most common threats against contemporary information systems include:
technical, organizational, and environmental factors compounded by poor
management decisions. Figure 8.1 includes the following:
8-8
• Technical: Unauthorized access, introducing errors
Define malware and distinguish among a virus, a worm, and a Trojan horse.
Malware (for malicious software) is any program or file that is harmful to a computer
user. Thus, malware includes computer viruses, worms, Trojan horses, and also
spyware programs that gather information about a computer user without permission.
• Virus: A program or programming code that replicates itself by being copied
Define a hacker and explain how hackers create security problems and damage
systems.
A hacker is an individual who gains unauthorized access to a computer system by
finding weaknesses in security protections used by Web sites and computer systems.
Hackers not only threaten the security of computer systems, but they also steal goods
Define computer crime. Provide two examples of crime in which computers are
targets and two examples in which computers are used as instruments of crime.
The Department of Justice defines computer crime as “any violations of criminal law
that involve a knowledge of computer technology for their perpetration, investigation,
8-9
Computers as targets of crime:
• Breaching the confidentiality of protected computerized data
• Accessing a computer system without authority
Computers as instruments of crime:
• Theft of trade secrets
• Unauthorized copying of software or copyrighted intellectual property, such
as articles, books, music, and video
• Schemes to defraud
Define identity theft and phishing and explain why identity theft is such a big
problem today.
Identity theft is a crime in which an imposter obtains key pieces of personal
information, such as Social Security identification number, driver’s license number,
or credit card numbers, to impersonate someone else. The information may be used to
obtain credit, merchandise, or services in the name of the victim or to provide the
thief with false credentials.
It is a big problem today as the Internet has made it easy for identity thieves to use
stolen information because goods can be purchased online without any personal
8-10
Describe the security and system reliability problems created by employees.
The largest financial threats to business institutions come from employees. Some of
the largest disruptions to service, destruction of e-commerce sites, and diversion of
customer credit data and personal information have come from insiders. Employees
have access to privileged information, and in the presence of sloppy internal security
Explain how software defects affect system reliability and security.
The software can fail to perform, perform erratically, or give erroneous results
because of undetected bugs. A control system that fails to perform can mean medical
equipment that fails or telephones that do not carry messages or allow access to the
8-2 What is the business value of security and control?
Explain how security and control provide value for businesses.
Security refers to the policies, procedures, and technical measures used to prevent
8-11
unauthorized access, alteration, theft, or physical damage to information systems.
Controls consist of all the methods, policies, and organizational procedures that
ensure the safety of the organization’s assets; the accuracy and reliability of its
account records; and operational adherence to management standards.
The business value of security and control:
• Firms relying on computer systems for their core business functions can lose
sales and productivity.
Describe the relationship between security and control and recent U.S.
government regulatory requirements and computer forensics.
Legal actions requiring electronic evidence and computer forensics also require firms
to pay more attention to security and electronic records management. Computer
forensics is the scientific collection, examination, authentication, preservation, and
analysis of data held on or retrieved from computer storage media in such a way that
the information can be used as evidence in the court of law. It deals with the
following problems:
• Recovering data from computers while preserving evidential integrity
• Securely storing and handling recovered electronic data
8-3 What are the components of an organizational framework for security and
control?
Define general controls and describe each type of general control.
General controls govern the design, security, and use of computer programs and the
security of data files in general throughout the organization’s information technology
infrastructure. They apply to all computerized applications and consist of a
8-12
Define application controls and describe each type of application control.
Application controls are specific controls unique to each computerized application.
They include both automated and manual procedures that ensure that only authorized
data are completely and accurately processed by that application.
Application controls can be classified as:
• Input controls: Check data for accuracy and completeness when they enter
Describe the function of risk assessment and explain how it is conducted for
information systems.
A risk assessment determines the level of risk to the firm if a specific activity or
process is not properly controlled. Business managers working with information
systems specialists can determine the value of information assets, points of
vulnerability, the likely frequency of a problem, and the potential for damage.
