Management Chapter 8 Homework With data concentrated in electronic form and many procedures invisible

Unlock access to all the studying documents.

View Full Document

8-1

Chapter 8

Securing Information Systems

Student Learning Objectives

1. Why are information systems vulnerable to destruction, error, and abuse?

2. What is the business value of security and control?

3. What are the components of an organizational framework for security and

control?

4. What are the most important tools and technologies for safeguarding information

resources?

Learning Catalytics is a “bring your own device” student engagement, assessment, and

classroom intelligence system. It allows instructors to engage students in class with real-

time diagnostics. Students can use any modern, Web-enabled device (smartphone, tablet,

or laptop) to access it. For more information on using Learning Catalytics in your course,

contact your Pearson Representative.

Key Terms

The following alphabetical list identifies the key terms discussed in this chapter. The

page number for each key term is provided.

Acceptable use policy (AUP), 323

Information systems audit, 325

Antivirus software, 329

Intrusion detection systems, 329

Application controls, 321

Key loggers, 311

Authentication, 326

Malware, 308

Biometric authentication, 327

Managed security service providers (MSSPs), 333

Botnet, 312

Online transaction processing, 332

Bugs, 318

Password, 326

Business continuity planning, 324

Patches, 318

Click fraud, 316

Pharming, 314

Computer crime, 312

Phishing, 313

Computer forensics, 320

Public key encryption, 331

Computer virus, 308

Public key infrastructure (PKI), 332

Controls, 306

Ransomware, 310

Cybervandalism, 311

Risk assessment, 332

Cyberwarfare, 317

Sarbanes-Oxley Act, 319

Deep packet inspection, 332

Secure Hypertext Transfer Protocol (S-HTTP), 330

Denial-of-service (DoS) attack, 312

Secure Sockets Layer (SSL), 330

8-2

Digital certificates, 331

Security, 306

Disaster recovery planning, 324

Security policy, 323

Distributed denial-of-service (DDoS)

attack, 312

Smart card, 326

Downtime, 332

Sniffer, 311

Drive-by download, 309

Social engineering, 317

Encryption, 330

Spoofing, 311

Evil twin, 313

Spyware, 311

Fault tolerant computer systems, 332

SQL injection attack, 310

Firewall, 328

Token, 326

Gramm-Leach-Bliley Act, 319

Two-factor authentication, 327

Hacker, 311

Unified threat management (UTM), 330

HIPAA, 319

War driving, 308

Identity management, 323

Worms, 309

Identify theft, 312

Teaching Suggestions

The opening case, “The 21st Century Bank Heist” demonstrates the need to continuously

upgrade and improve security in technology. Magnetic strips on credit cards are an over

four-decade old technology that much of the developed world has abandoned because

they are so vulnerable to counterfeit replication and theft via handheld card skimmers.

However, banks and merchants have deemed replacement technology too expensive to

install.

Using commercially-available card encoders attached via USB ports to laptops and PCs,

the built-in software was used to enter account data. The thieves swiped plastic cards

8-3

Section 8.1, “Why are information systems vulnerable to destruction, error, and

abuse?” With data concentrated in electronic form and many procedures invisible

through automation, computerized information systems are vulnerable to destruction,

misuse, error, fraud, and hardware or software failures. Corporate systems using the

Interactive Session: Management: Target Becomes the Target for Massive Data

Theft

Case Study Questions:

1. List and describe the security and control weaknesses at Target that are

discussed in this case.

Target had prepared for what turned out to be the one of the largest data thefts in history.

It had a huge information security staff with more than 300 people. Six months before the

attack it began installing the powerful $1.6 million FireEye malware detection platform.

2. What management, organization, and technology factors contributed to these

problems? How much was management responsible?

8-4

Management: Even with 300 people on the information security staff, and a powerful

malware detection platform installed, management allowed key parts of the detection

software to be turned off. Beth Jacob, the Target CIO at the time of the attack, resigned in

3. What was the business impact of Target data losses on Target and its customers?

Target sales dropped 5.3 percent in the fourth quarter of 2013 when the breach occurred

while its profit fell 46 percent. Profits continued to fall in early 2014 due to continuing

4. What solutions would you suggest to prevent these problems?

Do not turn off key features of security software that are designed to detect intrusions

into the system. The security team needs to address threats more often than once a month

Section 8.2, “What is the business value of security and control?” Security and control

are important but often neglected areas for information systems investments. The

majority of companies today are naïve about how vulnerable their assets are. When

8-5

Section 8.3, “What are the components of an organizational framework for security

and control?” Firms must use appropriate technologies to effectively protect their

information resources. The best place to start is by establishing a well-defined set of

general and application control. Ask your students to research what types of security and

controls methods are employed by their university or workplace. In groups, ask them to

present their findings in class.

Security policies and acceptable use policies are only as good as their enforcement. Many

Section 8.4, “What are the most important tools and technologies for safeguarding

information resources?” Although students or their employers may say they want

software quality or controls in information systems, few want to be bothered with the

extra steps that quality assurance requires, or the limits on their freedom, funds, and extra

time it takes to install controls and security.

Discuss with students how biometrics, such as the use of fingerprint imaging, retinal

8-6

Interactive Session: Technology: BYOD: It’s Not So Safe

Case Study Questions

1. It has been said that a smartphone is a microcomputer in your hand. Discuss the

security implications of this statement.

Smartphones have many of the same computing features and capabilities as any laptop,

desktop, or client/server computing network, making them as vulnerable to malware.

2. What management, organizational, and technology factors must be addressed by

smartphone security?

Management: One of the biggest problems with people using their personal smartphones

to access corporate data is that they lose the devices. They aren’t diligent about protecting

Organizational: Cloud services are causing continually escalating problems because

employees are not careful about what documents they upload to the “open” services.

Some free cloud services such as Dropbox and Google Drive are more open to

8-7

3. What problems do smartphone security weaknesses cause for businesses?

Smartphones of all kinds are susceptible to browser-based malware that takes advantage

of vulnerabilities in all browsers. In addition, most smartphones, including the iPhone,

permit the manufacturers to remotely download configuration files to update operating

systems and security protections.

4. What steps can individuals and businesses take to make their smartphones more

secure?

First of all, and most importantly, employees using their personal devices on the job need

to protect them more—both from theft and accidental access.

Review Questions

8-1 Why are information systems vulnerable to destruction, error, and abuse?

List and describe the most common threats against contemporary information

systems.

The most common threats against contemporary information systems include:

technical, organizational, and environmental factors compounded by poor

management decisions. Figure 8.1 includes the following:

8-8

• Technical: Unauthorized access, introducing errors

Define malware and distinguish among a virus, a worm, and a Trojan horse.

Malware (for malicious software) is any program or file that is harmful to a computer

user. Thus, malware includes computer viruses, worms, Trojan horses, and also

spyware programs that gather information about a computer user without permission.

• Virus: A program or programming code that replicates itself by being copied

Define a hacker and explain how hackers create security problems and damage

systems.

A hacker is an individual who gains unauthorized access to a computer system by

finding weaknesses in security protections used by Web sites and computer systems.

Hackers not only threaten the security of computer systems, but they also steal goods

Define computer crime. Provide two examples of crime in which computers are

targets and two examples in which computers are used as instruments of crime.

The Department of Justice defines computer crime as “any violations of criminal law

that involve a knowledge of computer technology for their perpetration, investigation,

8-9

Computers as targets of crime:

• Breaching the confidentiality of protected computerized data

• Accessing a computer system without authority

Computers as instruments of crime:

• Theft of trade secrets

• Unauthorized copying of software or copyrighted intellectual property, such

as articles, books, music, and video

• Schemes to defraud

Define identity theft and phishing and explain why identity theft is such a big

problem today.

Identity theft is a crime in which an imposter obtains key pieces of personal

information, such as Social Security identification number, driver’s license number,

or credit card numbers, to impersonate someone else. The information may be used to

obtain credit, merchandise, or services in the name of the victim or to provide the

thief with false credentials.

It is a big problem today as the Internet has made it easy for identity thieves to use

stolen information because goods can be purchased online without any personal

8-10

Describe the security and system reliability problems created by employees.

The largest financial threats to business institutions come from employees. Some of

the largest disruptions to service, destruction of e-commerce sites, and diversion of

customer credit data and personal information have come from insiders. Employees

have access to privileged information, and in the presence of sloppy internal security

Explain how software defects affect system reliability and security.

The software can fail to perform, perform erratically, or give erroneous results

because of undetected bugs. A control system that fails to perform can mean medical

equipment that fails or telephones that do not carry messages or allow access to the

8-2 What is the business value of security and control?

Explain how security and control provide value for businesses.

Security refers to the policies, procedures, and technical measures used to prevent

8-11

unauthorized access, alteration, theft, or physical damage to information systems.

Controls consist of all the methods, policies, and organizational procedures that

ensure the safety of the organization’s assets; the accuracy and reliability of its

account records; and operational adherence to management standards.

The business value of security and control:

• Firms relying on computer systems for their core business functions can lose

sales and productivity.

Describe the relationship between security and control and recent U.S.

government regulatory requirements and computer forensics.

Legal actions requiring electronic evidence and computer forensics also require firms

to pay more attention to security and electronic records management. Computer

forensics is the scientific collection, examination, authentication, preservation, and

analysis of data held on or retrieved from computer storage media in such a way that

the information can be used as evidence in the court of law. It deals with the

following problems:

• Recovering data from computers while preserving evidential integrity

• Securely storing and handling recovered electronic data

8-3 What are the components of an organizational framework for security and

control?

Define general controls and describe each type of general control.

General controls govern the design, security, and use of computer programs and the

security of data files in general throughout the organization’s information technology

infrastructure. They apply to all computerized applications and consist of a

8-12

Define application controls and describe each type of application control.

Application controls are specific controls unique to each computerized application.

They include both automated and manual procedures that ensure that only authorized

data are completely and accurately processed by that application.

Application controls can be classified as:

• Input controls: Check data for accuracy and completeness when they enter

Describe the function of risk assessment and explain how it is conducted for

information systems.

A risk assessment determines the level of risk to the firm if a specific activity or

process is not properly controlled. Business managers working with information

systems specialists can determine the value of information assets, points of

vulnerability, the likely frequency of a problem, and the potential for damage.