Management Chapter 8 Web Sites And Computer Systems Hackers Not

8-1

Chapter 8

Securing Information Systems

Learning Objectives

1. Why are information systems vulnerable to destruction, error, and abuse?

2. What is the business value of security and control?

Chapter Outline

8.1 System Vulnerability and Abuse

Why Systems are Vulnerable

8.2 Business Value of Security and Control

Legal and Regulatory Requirements for Electronic Records Management

Electronic Evidence and Computer Forensics

8.3 Establishing a Framework for Security and Control

Information Systems Controls

8.4 Technologies and Tools for Protecting Information Resources

Identity Management and Authentication

8-2

Key Terms

The following alphabetical list identifies the key terms discussed in this chapter. The

page number for each key term is provided.

Acceptable use policy (AUP), 342

Computer virus, 328

Controls, 325

Cybervandalism, 330

Cyberwarfare, 334

Deep packet inspection (DPI), 352

General controls, 340

Gramm-Leach-Bliley Act, 339

Hacker, 330

High-availability computing, 351

HIPAA, 338

8-3

Pharming, 333

Phishing, 333

Public key encryption, 350

Public key infrastructure (PKI), 350

Recovery-oriented computing, 351

Risk assessment, 341

Token, 346

Trojan horse, 329

Unified threat management (UTM), 349

War driving, 327

Worms, 328

Teaching Suggestions

The opening case, “You’re on LinkedIn? Watch Out!,” describes several different ways

information systems become vulnerable to malicious software— individual user’s

computers, their friends’ computers, and computers of LinkedIn-participating businesses.

Because of its huge user base, an easy-to-use Web site, and a community of users easily

Section 8.1, “System Vulnerability and Abuse” With data concentrated in electronic

form and many procedures invisible through automation, computerized information

8-4

systems are vulnerable to destruction, misuse, error, fraud, and hardware or software

failures. Corporate systems using the Internet are especially vulnerable because the

Interactive Session: Organizations: Stuxnet and the Changing Face of

Cyberwarfare

Case Study Questions:

1. Is cyberwarfare a serious problem? Why or why not?

Cyberwarfare is becoming a very serious problem. Attacks have become much more

widespread, sophisticated, and potentially devastating. The U.S. Department of

2. Assess the management, organizational, and technology factors that have

created this problem.

Management: Most attacks are the work of highly skilled professionals. “I view

Stuxnet as a weapons delivery system, like the B-2 Bomber,” said Michael

8-5

3. What makes Stuxnet different from other cyberwarfare attacks? How serious a

threat is this technology?

To date, Stuxnet is the most sophisticated cyberweapon ever deployed. Stuxnet’s

mission was to activate only computers that ran Supervisory Control and Data

4. What solutions have been proposed for this problem? Do you think they will be

effective? Why or why not?

The United States has no clear strategy about how the country would respond to

various levels of cyberattacks. Mike McConnell, the former director of national

Section 8.2, “Business Value of Security and Control” Security and control are

important but often neglected areas for information systems investments. The majority of

companies today are naïve about how vulnerable their assets are. When developing and

Section 8.3, “Establishing a Framework for Security and Control” Firms must use

appropriate technologies to effectively protect their information resources. The best place

to start is by establishing a well-defined set of general and application control. Ask your

students to research what types of security and controls methods are employed by their

university or workplace. In groups, ask them to present their findings in class.

8-7

Review Questions

1. Why are information systems vulnerable to destruction, error, and abuse?

List and describe the most common threats against contemporary information

systems.

The most common threats against contemporary information systems include:

technical, organizational, and environmental factors compounded by poor

Define malware and distinguish among a virus, a worm, and a Trojan horse.

Malware (for malicious software) is any program or file that is harmful to a computer

user. Thus, malware includes computer viruses, worms, Trojan horses, and also

spyware programs that gather information about a computer user without permission.

• Virus: A program or programming code that replicates itself by being copied

Define a hacker and explain how hackers create security problems and damage

systems.

A hacker is an individual who gains unauthorized access to a computer system by

finding weaknesses in security protections used by Web sites and computer systems.

8-8

Define computer crime. Provide two examples of crime in which computers are

targets and two examples in which computers are used as instruments of crime.

The Department of Justice defines computer crime as “any violations of criminal law

that involve a knowledge of computer technology for their perpetration, investigation,

Computers as targets of crime:

• Breaching the confidentiality of protected computerized data

• Accessing a computer system without authority

Computers as instruments of crime:

• Theft of trade secrets

• Unauthorized copying of software or copyrighted intellectual property, such

Define identity theft and phishing and explain why identity theft is such a big

problem today.

Identity theft is a crime in which an imposter obtains key pieces of personal

information, such as social security identification number, driver’s license number, or

credit card numbers, to impersonate someone else. The information may be used to

8-9

Describe the security and system reliability problems created by employees.

The largest financial threats to business institutions come from employees. Some of

the largest disruptions to service, destruction of e-commerce sites, and diversion of

customer credit data and personal information have come from insiders. Employees

software or maintain existing programs.

Explain how software defects affect system reliability and security.

The software can fail to perform, perform erratically, or give erroneous results

because of undetected bugs. A control system that fails to perform can mean medical

equipment that fails or telephones that do not carry messages or allow access to the

2. What is the business value of security and control?

Explain how security and control provide value for businesses.

Security refers to the policies, procedures, and technical measures used to prevent

8-10

Describe the relationship between security and control and recent U.S.

government regulatory requirements and computer forensics.

Legal actions requiring electronic evidence and computer forensics also require firms

to pay more attention to security and electronic records management. Computer

forensics is the scientific collection, examination, authentication, preservation, and

3. What are the components of an organizational framework for security and

control?

Define general controls and describe each type of general control.

General controls govern the design, security, and use of computer programs and the

security of data files in general throughout the organization’s information technology

8-11

Define application controls and describe each type of application control.

Application controls are specific controls unique to each computerized application.

They include both automated and manual procedures that ensure that only authorized

Describe the function of risk assessment and explain how it is conducted for

information systems.

A risk assessment determines the level of risk to the firm if a specific activity or

process is not properly controlled. Business managers working with information

systems specialists can determine the value of information assets, points of

Define and describe the following: security policy, acceptable use policy, and

identity management.

8-12

A security policy consists of statements ranking information risks, identifying

acceptable security goals, and identifying the mechanisms for achieving these goals.

The security policy drives policies determining acceptable use of the firm’s

information resources and which members of the company have access to its

information assets.

Explain how MIS auditing promotes security and control.

Comprehensive and systematic MIS auditing organizations determine the

effectiveness of security and controls for their information systems. An MIS audit

4. What are the most important tools and technologies for safeguarding

information resources?

Name and describe three authentication methods.

Authentication refers to the ability to know that a person is who he or she claims to

be. Some methods are described below: