Chapter 10 - Securing Information Systems: IS Security Is A Critical Aspect of Managing in The Digital World

Chapter 10 - Securing Information Systems
IS Security is a critical aspect of

managing in the digital world
Copyright 2014 Pearson Education, Inc. 1

Chapter 10 Learning Objectives
Computer Crime
Define computer crime and describe several types of computer crime.
Cyberwar and Cyberterrorism

Describe and explain the differences between cyberwar and cyberterrorism.
Information Systems Security

Explain what is meant by the term IS security and describe both technology and
human based safeguards for information systems.
Managing IS Security
Discuss how to better manage IS security and explain the process of developing an IS
security plan.
Information Systems Controls, Auditing, and the Sarbanes-Oxley Act

Describe how organizations can establish IS controls to better ensure IS security.

Computer Crime
Computer Crime
Define computer crime and describe several types of
computer crime.


Explain what is meant by the term IS security and describe both technology and human based
safeguards for information systems.
Discuss how to better manage IS security and explain the process of developing an IS security plan.


Threats to IS Security

What Is Computer Crime?
Using a computer to commit an illegal act
Targeting a computer while committing an

offense
Unauthorized access of a server to destroy data
Using a computer to commit an offense
Using a computer to embezzle funds
Using computers to support a criminal activity
Maintaining books for illegal gambling on a computer

Hacking and Cracking
Hackers
Anyone with enough knowledge to gain unauthorized
access to computers
Hackers who arent crackers dont damage or steal
information belonging to others
Crackers
Individuals who break into computer systems with the
intent to commit crime or do damage
Hacktivists: Crackers who are motivated by political or
ideological goal and who use Cracking to promote
their interests
Types of Computer Crimes
Unauthorized Access
Stealing information
Stealing use of computer resources
Accessing systems with the intent to commit
Information Modification
Information Modification
Changing data for financial gain (e.g.:
embezzlement)
Defacing a Web site (e.g.: hactivists making a
statement)
Types of Computer Criminals
Computer criminals come in all shapes and sizes, in

order of infractions they are:
1. Current or former employees; most organizations report
insider abuses as their most common crime (CSI, 2011)
2. People with technical knowledge who commit business
or information sabotage for personal gain
3. Career criminals who use computers to assist in crimes
4. Outside crackers crackers commit millions of intrusions
per year
1. Most cause no harm
2. Estimates are that only around 10 percent of cracker attacks
cause damage

Other Threats
Often institutions and individuals fail to exercise proper care and implement
effective controls
Passwords and access codes written down on paper, in plain sight or unsecured
Antivirus software isnt installed or isnt maintained
Systems left with default manufacturer passwords in place after being deployed
Information carelessly shared over the phone, or by letting unauthorized individuals
see monitor screens
Company files and resources without proper access controls
Failure to install and maintain Firewalls and Intrusion Prevention/Detection systems
Poor background checks on new hires
Employees with unmonitored access to data and resources
Fired employees left unmonitored and have access to damage the system before they
leave the company
Computer Viruses and Other Destructive Code
Computer Viruses
Worms, Trojan Horses, and Other Sinister Programs
Denial of Service
Spyware, Spam, and Cookies
Spyware
Spam
Cookies
The Rise of Botnets and the Cyberattack Supply Chain
Identity Theft

Computer Viruses and Other Destructive
Code: Viruses

Computer Viruses and Other Destructive
Code: Denial-of-Service

Computer Viruses and Other Destructive Code:
Spyware: software that monitors the activity on a
computer, such as the Web sites visible or even the
keystrokes of the user
Spam: Bulk unsolicited email sent to millions of users at
extremely low cost, typically seeking to sell a product,
distribute malware, or conduct a phishing attack
Cookies: A small file Web sites place on users computer.
Can be legitimate (to capture items in a shopping cart) but
can be abused (to track individuals browsing habits) and
can contain sensitive information (like credit card
numbers) and pose a security risk

Phishing

Internet Hoaxes & Cybersquatting
Internet Hoaxes
False messages circulated about topics of interest
Users should verify the content of emails before
forwarding
May be used to harvest emails for SPAM mailings
Cybersquatting
Buying & holding a domain name with the intent to
sell
The 1999 Anti-Cybersquatting Consumer Protection
Act makes it a crime if the intent is to profit from the
goodwill of a trademark belonging to someone else

Cyberharassment, Cyberstalking, and
Cyberbullying
Cyberharassment
Use of a computer to communicate obscene, vulgar, or
threatening content that causes a reasonable person to
endure distress
Cyberstalking
Tracking an individual, performing harassing acts not
otherwise covered by Cyberharassment, or inciting others
to perform harassing acts
CyberBullying
Deliberately causing emotional distress
All three are closely related, a Cyberstalker may be
committing Cyberharassment and Cyberbullying

Software Piracy
Region Piracy Level Dollar Loss

(in US$ millions)
North America Western 19% 10,958
Europe 32% 13,749
Asia/Pacific 60% 20,998
Latin America 61% 7,459
Middle East/Africa 58% 4,159
Eastern Europe 62% 6,133
Worldwide 42% 63,456

Federal Laws
Federal Laws
The Computer Fraud and Abuse Act of 1986
A crime to access government computers or
communications
A crime to extort money by damaging computer systems
A crime to threaten the President, VP, members of congress,
administration officials
Electronic Communications Privacy Act of 1986
A crime to break into any electronic communications service,
including telephone services
Prohibits the interception of any type of electronic
communications
Computer Crime

Describe and explain the differences between cyberwar
and cyberterrorism.



Cyberwar
Cyberwar Vulnerabilities
Command-and-control systems
Intelligence collection, processing, and distribution
systems
Tactical communication systems and methods
Troop and weapon positioning systems
Friend-or-foe identification systems
Smart weapons systems
The New Cold War
more than 120 nations are developing ways to use the
Internet as a weapon to target financial markets,
governmental computer systems, and key infrastructure

Cyberterrorism
What kinds of attacks are considered

Cyberterrorism?
Attacks by individuals and organized groups
political, religious, or ideological goals
How the Internet is changing the business
processes of terrorists
Terrorists are leveraging the Internet to coordinate
their activities, recruit, and perform fundraising

Cyberterrorism (continued)
Assessing the Cyberterrorism threat

The Internet is generally open and accessible from
anywhere in the world
There have been many attacks, and while not
significantly damaging, the will and potential exist
The globalization of terrorism
Terrorism is now a global business
Attacks can be launched from anywhere in the
world
Computer Crime


Explain what is meant by the term IS security and
describe both technology and human based safeguards for
information systems.


Safeguarding IS Resources
Risk Reduction
Actively installing countermeasures
Risk Acceptance
Accepting any losses that occur
Risk Transference
Insurance
Outsourcing

Technological Safeguards
Physical access restrictions

Firewalls
Encryption
Virus monitoring and prevention
Audit-control software
Secure data centers

Technological Safeguards:
Physical access restrictions
Physical access controls typically focus on
authentication
Something you have
Keys
Smart Cards
Something you are
Biometrics
Something you know
Password
PIN Code
Firewalls
Filter traffic
Incoming and/or outgoing traffic
Filter based on traffic type
Filter based on traffic source
Filter based on traffic destination
Filter based on combinations of parameters

Encryption

Virus monitoring and prevention
Standard precautions
Purchase, install, and maintain antivirus software
Do not use flash drives or shareware from unknown or
suspect sources
Use reputable sources when downloading material
from the Internet
Delete without opening any e-mail message received
from an unknown source
Do not blindly open e-mail attachments, even if they
come from a known source
If your computer system contracts a virus, report it
Audit-control software
All computer activity can be logged and

recorded
Audit-control software keeps track of
computer activity
Only protects security if results are monitored

Secure data centers - Ensuring Availability

Secure data centers
Securing the facilities infrastructure

Backups
Backup Sites
Redundant Data Centers
Closed-Circuit Television
Uninterruptible Power Supply

Human Safeguards

Computer Forensics
Formally evaluating digital information for

judicial review
Examining the computers of crime victims for
evidence
Examining the computers of criminals for evidence
Auditing computer activity logs
Restoring deleted computer data

Computer Crime


Discuss how to better manage IS security and explain the
process of developing an IS security plan.


Developing an IS Security Plan
Step
1) Risk Analysis Analyze the value of the data, the risks to
it, assess current policies, and
recommend changes
2) Policies and Procedures Create formal policies for use of and
safeguarding IS resources, and outline the
procedures to be followed and disaster
recovery plans
3) Implementation Institute the security practices, policies,
and procedures
4) Training Personnel need to know the policies,
plans, what their roles and tasks are, and
how to do them
5) Auditing This is an ongoing process to ensure
practice, compliance, and effectiveness
The State of Systems Security Management
Information Security is a huge management

challenge with ongoing opportunities
Organizations are rising to it
Activity logging and intrusion detection
Antivirus and antispyware software
Firewalls and VPNs
Encryption for data in transit and at rest

Information Systems Controls, Auditing, and
the Sarbanes-Oxley Act
Computer Crime


Information Systems Controls, Auditing, and the

Sarbanes-Oxley Act
Describe how organizations can establish IS controls to
better ensure IS security.

Information System Controls:
Hierarchy

Information System Controls
Preventive controls
Prevent events from occurring (e.g., block
unauthorized access)
Detective controls
Determine if anything has gone wrong (e.g.,
detect that an unauthorized access has occurred)
Corrective controls
Mitigate problems after they arise

The Sarbanes-Oxley Act
The Sarbanes-Oxley (S-OX) Act addresses

financial controls
Companies must demonstrate controls are in
place
Companies must preserve evidence documenting
compliance
Information systems typically used to meet
compliance requirements
Growing need for IS Auditors
END OF CHAPTER CONTENT

Managing in the Digital World: Not So Anonymous
Activists, Hacktivists, or Just Plain Criminals?
Anonymous
A loose collection of hacktivists
Practice civil disobedience by taking part in cyber
attacks on websites
Deadliest tool is denial-of-service attack
Referred to as The Punisher of the World Wide Web
Well known for Internet vigilantism
Claiming to have good intentions, but activities are
illegal
Dilemma between pursuing ideological goals and
crossing the bounds of legality

Ethical Dilemma:
Industrial Espionage
Industrial espionage is widespread, and critical
information is always vulnerable to attacks
Most commonly associated with industries where
research and development (R&D) is a significant
expense
May be conducted by governments as well as
competitors
Employees who can be bribed, coerced, or
blackmailed often targeted
Ex-employees also an opportunistic target
When a company has been victimized, they may feel
justified in using the same techniques to fight back
Whos Going Mobile:
Mobile Security
With hundreds of thousands of apps in app
stores, the potential for mobile malware is
significant
Malware could:
Collect data from compromised phones
Send texts which charge the user per text sent
By December of 2011 there were over 13,000
android focused malware apps
Apple and Google scan for Malware, but arent perfect
Other app sites often dont scan, and jail broken
phones that can access them are at high risk
Brief Case:
3D Crime Scenes
3D technology has progressed to allow

practical law enforcement use
Crime scenes can be scanned and captured in
minute detail
They can then be viewed from any possible angle
and vantage point
3D maps of cities and buildings are also being
stored to help foil future terrorist attacks

Coming Attractions:
Speeding Security Screening
Airport and customs screening is time consuming
and expensive
University of Arizona researchers have constructed an
embodied conversational agent called AVATAR that
can interview travelers
Multiple sensor technologies detect the travelers
emotional state and likely deceptiveness
As more tests are run, researchers learn more and
enhance its capabilities
One day it may take the lead in conducting travel
interviews
Key Players:
White Knights of the Internet Age
Every computer is vulnerable to attack
Security software is big business with many players
$17.7 billion in 2011
Specialized security companies
Symantec, TrendMicro, McAfee, Check Point, Kaspersky, Verint,
AVG, etc.
General technology companies
EMC, CA, and IBM are three of the biggest
Many options for users and companies, but educating
them in the need, and getting them to take appripriate
action, may be the hardest of all

When Things Go Wrong: Stopping Insider
Threats: WikiLeaks and Bradley Manning
Bradley Manning worked for the Army as an
Intelligence Analyst and had access to multiple
classified databases
Using a blank CD, he took unprecedented amounts of
classified information and transferred it to WikiLeaks
WikiLeaks has been publishing the information under the
belief that governments should be open and transparent
Bradley Manning caught after confiding to another former
hacker
New safeguards are being deployed throughout the
military and government to ensure there isnt another
Wikileaks type vent

Industry Analysis:
Cybercops Track Cybercriminals
Police departments have been playing catch-up with
technology, but are now making great strides
Every state and the FBI has dedicated cybercrime
resources
Software tools for law enforcement have improved
significantly
Law enforcement is reaching out to the community
through social media
Law enforcement communications has been upgraded to
block eavesdropping
While criminals may now be using technology to
commit crimes, Law enforcement is using technology
to catch them

Chapter 10 - Securing Information Systems: IS Security Is A Critical Aspect of Managing in The Digital World

Uploaded by

Document Informationclick to expand document informationCh10

Document Informationclick to expand document information

Copyright:

Available Formats

Chapter 10 - Securing Information Systems: IS Security Is A Critical Aspect of Managing in The Digital World

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 10 - Securing Information Systems: IS Security Is A Critical Aspect of Managing in The Digital World

Uploaded by

Copyright:

Available Formats

Chapter 10 - Securing Information Systems

IS Security is a critical aspect of

Copyright 2014 Pearson Education, Inc. 1

Cyberwar and Cyberterrorism

Information Systems Security

Information Systems Controls, Auditing, and the Sarbanes-Oxley Act

Copyright 2014 Pearson Education, Inc. 2

Cyberwar and Cyberterrorism

Information Systems Security

Information Systems Controls, Auditing, and the Sarbanes-Oxley Act

Copyright 2014 Pearson Education, Inc. 3

Copyright 2014 Pearson Education, Inc. 4

Using a computer to commit an illegal act

Targeting a computer while committing an

Copyright 2014 Pearson Education, Inc. 5

Computer criminals come in all shapes and sizes, in

Copyright 2014 Pearson Education, Inc. 8

Copyright 2014 Pearson Education, Inc. 10

Copyright 2014 Pearson Education, Inc. 11

Copyright 2014 Pearson Education, Inc. 12

Copyright 2014 Pearson Education, Inc. 13

Copyright 2014 Pearson Education, Inc. 14

Copyright 2014 Pearson Education, Inc. 15

Copyright 2014 Pearson Education, Inc. 16

Region Piracy Level Dollar Loss

Copyright 2014 Pearson Education, Inc. 17

Cyberwar and Cyberterrorism

Information Systems Security

Information Systems Controls, Auditing, and the Sarbanes-Oxley Act

Copyright 2014 Pearson Education, Inc. 19

Copyright 2014 Pearson Education, Inc. 20

What kinds of attacks are considered

Copyright 2014 Pearson Education, Inc. 21

Assessing the Cyberterrorism threat

Cyberwar and Cyberterrorism

Information Systems Security

Information Systems Controls, Auditing, and the Sarbanes-Oxley Act

Copyright 2014 Pearson Education, Inc. 23

Copyright 2014 Pearson Education, Inc. 24

Physical access restrictions

Copyright 2014 Pearson Education, Inc. 25

Copyright 2014 Pearson Education, Inc. 27

Copyright 2014 Pearson Education, Inc. 28

All computer activity can be logged and

Copyright 2014 Pearson Education, Inc. 30

Copyright 2014 Pearson Education, Inc. 31

Securing the facilities infrastructure

Copyright 2014 Pearson Education, Inc. 32

Copyright 2014 Pearson Education, Inc. 33

Formally evaluating digital information for

Copyright 2014 Pearson Education, Inc. 34

Cyberwar and Cyberterrorism

Information Systems Security

Information Systems Controls, Auditing, and the Sarbanes-Oxley Act

Copyright 2014 Pearson Education, Inc. 35

Information Security is a huge management

Copyright 2014 Pearson Education, Inc. 37