8-1
Management Information Systems, 13E, Global Editions
Laudon & Laudon
Lecture Notes by Barbara J. Ellestad
Chapter 8 Securing Information Systems
As our society and the world itself come to depend on computers and information
systems more and more, firms must put forth a better effort in making their systems less
8.1 System Vulnerability and Abuse
As firms become more technologically oriented, they must become more aware of
security and control issues surrounding their information systems and protect the
resources more stringently than ever before. It’s that simple.
Why Systems Are Vulnerable
Information systems are vulnerable to technical, organizational, and environmental
threats from internal and external sources. The weakest link in the chain is poor system
Figure 8-1: Contemporary Security Challenges and Vulnerabilities
8-2
Businesses that partner with outside companies are more vulnerable because at least some
data may be less controlled. Partnering companies may not protect information as
stringently. Hardware and software safeguards may not be as important to outsiders.
Internet Vulnerabilities
“If electronic business is to prosper and truly move into the mainstream of
commerce, everyone involved—merchants, financial institutions, software
vendors, and security suppliers such as VeriSign—has to make security a
top priority, starting right now. Security is very hard to get right under the
These two articles show how long the problem with poor security has existed and how
vulnerable computing systems are. Every point of entry into the Internet network is a
point of vulnerability.
Because distributed computing is used extensively in network systems, you have more
points of entry, which can make attacking the system easier. The more people you have
8-3
Wireless Security Challenges
It’s a difficult balancing act when it comes to making wireless systems easy to access and
yet difficult to penetrate. Internet cafes, airports, hotels, and other hotspot access points
Wireless networks are vulnerable in the following ways:
• Radio frequency bands are easy to scan.
Malicious Software: Viruses, Worms, Trojan Horses, and Spyware
Have you ever picked up a cold or the flu from another human? Probably. You then
spread it to two or three other people through touch or association. Those people spread it
to two or three more people each. Pretty soon it seems that everyone on campus or at
Web-enabled and email-enabled cell phones are now being targeted as a way to spread
viruses.
“It is not just PCs that are vulnerable to virus attacks these days—now you
8-4
There are currently about 100 mobile viruses that can disable a phone or
A different type of malware called worms can also destroy data on computers or clog
network systems with software-generated electronic transmissions. Worms are similar to
viruses in that they can create additional file copies on a computer and generate emails to
other computers with the infected file attached. Worms differ from viruses because they
don’t need human intervention to spread from one computer to another. That helps
explain why computer worms spread much more rapidly than computer viruses.
8-5
We mentioned above that mobile computing devices like smartphones and tablet
computers increase the vulnerability of corporate networks because they create new
points of entry. Social networking Web sites like Facebook and Web sites that use Web
2.0 applications also pose security threats. Users assume that every message they get
from “friends” or every well–constructed Web site is authentic. Unfortunately, that’s a
wrong assumption. Facebook has become an easy target for unauthorized users to
8-6
Hackers and Computer Crime
Hackers and crackers, those who intentionally create havoc or do damage to a computer
system, have been around for a long time. Many companies don’t report hackers’
attempts to enter their systems because they don’t want people to realize their systems are
Even as hacking has grown from a way for geeks to impress each other to
a means for criminals to steal and blackmail, the strategy for computer
security has remained largely the same: Companies and consumers erect
the thickest walls they can around computers so the bad guys can’t get in.
Now security experts, realizing they’re losing the battle, are ready to try a
new approach. They plan to recruit victims and other computer users to
help them go on the offensive and hunt down the hackers. “It’s time to
Some hackers penetrate systems just to see if they can. They use special computer
systems that continually check for password files that can be copied. Or they look for
areas of the system that have been “left open,” so to speak, where they can enter the
system. Sometimes they don’t do any damage, but far too often they destroy files, erase
data, or steal data for their own use through cybervandalism. Other hackers attack
systems because they don’t like the company.
8-7
The loose-knit hacking movement ‘Anonymous’ claimed Sunday through
Twitter that it had stolen thousands of credit card numbers and other
Spoofing and Sniffing
These are two other methods hackers and criminals use to gain improper or illegal access
to computer systems. Spoofing is becoming a common way to steal financial information
through fake Web sites. The spoofed site is almost a mirror image of the real site and
Denial of Service Attacks
As companies and organizations expand their business to Web sites, they are opening
another point of vulnerability through denial of service attacks. Using botnets to launch
distributed denial of service attacks is becoming all too common. The hackers seem to
enjoy attacking the most popular Web sites like Facebook and Twitter.
“On this otherwise happy Thursday morning, Twitter is the target of a
denial of service attack,” wrote Stone (Twitter co-found Biz Stone).
8-8
The news article below offers one idea of how to help fix problems hackers create.
“The government is reviewing an Australian program that will allow
Internet service providers to alert customers if their computers are taken
over by hackers and could limit online access if people don’t fix the
Computer Crime
Some of the crimes we have just described are the most popular. Computer crime is a
growing national and international threat to the continued development of e-business and
8-9
It’s very difficult for our society and our governments to keep up with the rapid changes
in the types of computer crime being committed. Many laws have to be rewritten and
many new laws must be implemented to accommodate the changes.
Identity Theft
The fastest growing crime off or on the Internet is identity theft. Even though identity
theft is most likely to occur in an offline environment, once your personal information
has been stolen it’s easy to use it in an online environment.
“The biggest risk for identity fraud is from the old-fashioned theft of your
There are many precautions people can take to help prevent identity theft. One way is to
scrutinize emails or phone calls that ask for your personal information or financial
account information. No legitimate financial institution will ever send an email
requesting you to supply your account information. That is the number one indicator that
the email is a phishing email. You should ignore and delete the email immediately. You
8-10
Phishers are back with a vengeance, armed with some alarming new
trickery. Those email scammers who try to fool you into typing your user
name and passwords at faked financial Web pages have been around in
force since 2002. They remain active, though many Web users have gotten
adept at spotting, and avoiding, ruses to get their financial account log-
Other ways your identity can be stolen is through evil twins based on wireless network
intrusions and pharming, the use of bogus Web sites. All of these are classified as
computer crimes for which our government is continually passing new laws.
Click Fraud
All those ads you see on Web sites cost the sponsor money. Every time someone clicks
on an ad, the sponsor is charged a pay-per-click fee. The fee is based on the popularity of
the search words that generated the ad. What if your company is paying for an ad with
8-11
Global Threats: Cyberterrorism and Cyberwarfare
As terrorism continues to increase the possibility of physical attacks anywhere in the
world, computer systems can be targeted as often as buildings, cars, or trains.
Governments realize this and are investigating ways of preventing system attacks or
minimizing the damage caused to the vast number of networks that are vulnerable.
“FBI Director Robert S. Mueller III warned Thursday that the
cyberterrorism threat is “real and . . . rapidly expanding.” Terrorists have
shown “a clear interest” in pursuing hacking skills, he told thousands of
security professionals at the RSA Conference in San Francisco. ‘They will
Interactive Session: Organizations: Stuxnet and the Changing Face of
Cyberwarfare (see page 336 of the text) describes the most sophisticated cyberweapon
ever deployed. The Stuxnet worm has earned its place in history as the first visible
example of industrial cyberwarfare.
Internal Threats: Employees
8-12
It is surprising to learn that most computer crime against companies is committed by
current or former employees. They know the system best, are entrusted with huge
amounts of data, and have the easiest access. Managers and executives need to be aware
of potential internal threats to their systems and put special measures in place to
safeguard systems and data. They also need to impress upon all employees how important
security is throughout the system right down to the last person.
• Jesse William McGraw worked as a night security guard at Northern Central
Medical Plaza in Dallas where he essentially had free run of the building. While
working, McGraw gained physical access to more than ten of the hospital’s
• A former computer programmer at Goldman Sachs & Co. was sentenced in
March 2011 to 97 months in prison for theft of trade secrets and interstate
transportation of stolen property. For just over two years, Sergey Aleynikov was
• A federal jury convicted a former Dow Chemical Company employee of stealing
trade secrets and selling them to companies in China, as well as committing
perjury. According to the evidence presented in court in early 2011, Wen Chyu
Password theft is the easiest way for hackers to gain access to a system. No, they don’t
come into your office at night and look at the piece of paper in your desk drawer that has
your password written on it. They generally use specially written software programs that
8-13
can build various passwords to see if any of them will work. That’s why you should use
odd combinations of letters and numbers not easily associated with your name to create
your password. The longer the password, the harder it is to replicate. The same password
should not be used for more than one access point. Using multiple passwords limits the
damage done if a hacker does manage to obtain a single password.
Software Vulnerability
You too can be a millionaire! On the ABC television show “Who Wants to be a
Millionaire,” one contestant won the top prize of $1 million by knowing which insect
represented a computer “bug.” The term bug, used to describe a defect in a software
program, has been around since the 1940s and 1950s. Back then, computers were
powered by vacuum tubes—hundreds and thousands of them. Grace Hopper, an early
computer pioneer, was troubleshooting a computer that had quit running. When her team
Bottom Line: Information systems security is everyone’s business. Understanding
the vulnerabilities present in hardware, software, data, and networks, is the first
8.2 Business Value of Security and Control
Transactions worth billions and trillions of dollars are carried out on networks every day.
Think of the impact if the networks experience downtime for even a few minutes. And,
the problem is far worse than companies may reveal:
“There is evidence that unknown foreign entities have probed the computer
networks of the power grid. Some electrical companies report thousands of
Military precedent, foreign military publications, and new vulnerabilities
combine to suggest that foreign opponents have added cyber attack on the
power gird to their portfolio of possible actions in a conflict with the
In 2005 ChoicePoint, a data brokerage company, revealed that they had inadvertently
sold personal and financial information to more than 50 companies that were fronts for
identity thieves. This incident underscores the difficulties with protecting data and
information on millions of unsuspecting consumers and legitimate businesses. The cost of
settling several lawsuits went far beyond the potential profits Choicepoint probably made.
Indeed, the problem has been very damaging to Choicepoint’s business reputation.