Management Chapter 8 Unified Threat Management Systems Combines All These

8-13

Describe the roles of firewalls, intrusion detection systems, and antivirus

software in promoting security.

A firewall is a combination of hardware and software that controls the flow of

incoming and outgoing network traffic. Firewalls prevent unauthorized users from

accessing internal networks. They protect internal systems by monitoring packets for

the wrong source or destination, or by offering a proxy server with no access to the

internal documents and systems, or by restricting the types of messages that get

Explain how encryption protects information.

Encryption, the coding and scrambling of messages, is a widely used technology for

securing electronic transmissions over the Internet and over wi-fi networks.

Describe the role of encryption and digital certificates in a public key

infrastructure.

Digital certificates combined with public key encryption provide further protection of

electronic transactions by authenticating a user’s identify. Digital certificates are data

Distinguish between fault-tolerant and high-availability computing, and between

disaster recovery planning and business continuity planning.

8-14

Fault-tolerant computer systems contain redundant hardware, software, and power

supply components that can back the system up and keep it running to prevent system

failure. Some systems simply cannot be allowed to stop, such as stock market systems

or some systems in hospitals. Fault-tolerant computers contain extra memory chips,

processors, and disk storage devices to backup a system and keep it running. They

also can use special software routings or self-checking logic built into their circuitry

to detect hardware failures and automatically switch to a backup device.

Identify and describe the security problems posed by cloud computing.

Accountability and responsibility for protection of sensitive data reside with the

company owning that data even though it’s stored offsite. The company needs to

make sure its data are protected at a level that meets corporate requirements. The

Describe measures for improving software quality and reliability.

Using software metrics and rigorous software testing are two measure for improving

software quality and reliability.

Early, regular, and thorough testing will contribute significantly to system quality.

Testing can prove the correctness of work but also uncover errors that always exist in

software. Testing can be accomplished through the use of:

• Walkthroughs: A review of a specification or design document by a small

Discussion Questions

1. Security isn’t simply a technology issue, it’s a business issue. Discuss.

Computer systems, of course, are composed of a number of technological marvels. As

with any asset in an organization, they need to be kept secure. A company’s core

capabilities and business processes are vital in today’s digital world. Technology

2. If you were developing a business continuity plan for your company, where

would you start? What aspects of the business would the plan address?

Business managers and information technology specialists need to work together to

determine which systems and business processes are most critical to the company.

8-16

8-17

3. Suppose your business had an e-commerce Web site where it sold goods and

accepted credit card payments. Discuss the major security threats to this Web

site and their potential impact. What can be done to minimize these threats?

The first major threat to an e-commerce Web site is hackers who could infiltrate the

system through the Internet. Hackers could steal credit card and personal information

of customers using the site. Not only would it be expensive to re-create the records

The third and perhaps biggest malware threat comes from SQL injection attacks.

These attacks take advantage of vulnerabilities in poorly coded Web application

software to introduce malicious program code into a company’s systems and

networks. The vulnerabilities occur when a Web application fails to properly validate

Hands-On MIS Projects

Management Decision Problems

1. K2 Network: Operates online game sites that accommodate millions of players at

once and played simultaneously by people all over the world. Prepare a security

8-18

Threats include:

• Hackers and crackers

Steps the company can take to prevent damage include:

• Access controls: Prevent improper access to all of the organization’s systems by

unauthorized insiders and outsiders.

• Firewalls: Prevent unauthorized users from accessing private networks.

2. Security analysis statistics: Analyze high risk, medium risk, and low risk

vulnerabilities by type of computing platform.

SECURITY VULNERABILITIES BY TYPE OF COMPUTING PLATFORM

PLATFORM

NUMBER OF

COMPUTERS

HIGH

RISK

MEDIUM

RISK

LOW

RISK

TOTAL

VULNERABILITIES

Windows Server (corporate

applications)

1

11

37

Windows Vista Ultimate (high-level

3

56

87

Sun Solaris (UNIX) (e-commerce and

2

12

78

19

67

8-19

1. Calculate the total number of vulnerabilities for each platform. What is the potential

impact of the security problems for each computing platform on the organization?

The total number of vulnerabilities for each platform is indicated in the far right

column of the table.

Potential impact of the security problems for each computing platform

• High risk vulnerabilities: Misuse of passwords allows hackers, crackers, and

employees to access specific systems and files and steal data or change

2. If you only have one information systems specialist in charge of security, which

platforms should you address first in trying to eliminate these vulnerabilities?

Second? Third? Last? Why?

• First platform to protect: Windows Vista Ultimate (high-level administrators)

—administrators usually have access to areas that no other users have. The

tasks that administrators perform affect the core operations of a system.

3. Identify the types of control problems illustrated by these vulnerabilities and explain

the measures that should be taken to solve them.

8-20

• General controls: Govern the design, security, and use of computer programs

and the security of data files in general throughout the organization’s information

• Application controls: Specific controls unique to each computerized application,

such as payroll or order processing. They include both automated and manual

• Measures that should be taken to solve them include:

o Create a security policy and an acceptable use policy.

4. What does your firm risk by ignoring the security vulnerabilities identified?

Information systems are vulnerable to technical, organizational, and environmental

threats from internal and external sources. Managers at all levels must make system

Improving Decision Making: Using Spreadsheet Software to Perform a Security

Risk Assessment

Software skills: Spreadsheet formulas and charts

8-21

Business skills: Risk assessment

Remind students that setting security policies and procedures really means developing a

plan for how to deal with computer security. One way to approach this task is:

• Look at what you are trying to protect.

Reports should focus most on the last two steps, but the first three are critically important

to making effective decisions about security. One old truism in security is that the cost of

protecting yourself against a threat should be less than the cost of recovering if the threat

Improving Decision Making: Evaluating Security Outsourcing Services

Software skills: Web browser and presentation software

Business skills: Evaluating business outsourcing services

• Present a brief summary of the arguments for and against outsourcing

computer security for your company.

• Select two firms that offer computer security outsourcing services, and

Video Cases

You will find video cases illustrating some of the concepts in this chapter on the Laudon

8-22

Collaboration and Teamwork: Evaluating Security Software Tools

With a group of three or four students, use the Web to research and evaluate

security products from two competing vendors, such as antivirus software, firewalls,

or antispyware software. For each product, describe its capabilities, for what types

of businesses it is best suited, and its cost to purchase and install. Which is the best

product? Why? If possible, use Google Sites to post links to Web pages, team

communication announcements, and work assignments; to brainstorm; and to work

collaboratively on project documents. Try to use Google Docs to develop a

presentation of your findings for the class.

There are literally dozens of products from different vendors that can be researched in

Case Study: Information Security Threats and Policies in Europe

1. What is a botnet?

A botnet is a cluster or group of computers infected with malicious code that enables

2. Describe some of the main points of the Digital Agenda for Europe.

The Digital Agenda for Europe was elaborated by the European Commission as a road

3. Explain how a cyber attack could be carried out.

A cyber attack can be carried out using simple ping commands sent from a cluster of

computers. Other more sophisticated attacks use botnets consisting of hundreds of

8-23

4. Describe some of the weaknesses exploited by malware.

One common weakness exploited by malware is called buffer-overrun. A buffer is an