The objectives of this chapter are to:
- Explain why computer systems are venerable to attack
- Explain why the internet and Wi-Fi networks are so difficult to secure.
- Describe the main threats to information systems.
- Describe the business value of security and control.
- Describe the security controls mechanisms that can be employed to protect information systems
- Briefly describe what is involved in disaster recovery planning.
- Describe the tools and technologies for protecting information systems
- Identify the challenges posed by information systems security and control
A. SYSTEM VULNERABILITY AND THREATS
Why Systems are Vulnerable
Computer based systems tend to be more vulnerable to damage, error, and fraud than manual systems for the following reasons:
- Data are stored in electronic format and are therefore not visible or easily auditable.
- Data are concentrated in electronic files and databases. A disaster such as a hardware or software fault, power failure or fire can be more far-reaching. An organisation’s entire record-keeping system could be destroyed.
- There may not be a visible trail to indicate what occurred for every computer process so errors entered in data can be very difficult to detect.
- Computer programs are also vulnerable as errors can be accidentally introduced when updates to the programs are installed. It can also be possible for programmers to make unauthorised changes to working systems.
- Many information systems can be accessed through telecommunications, and telecommunications can produce errors in data transmission.
- Data in files or databases can be accessed and manipulated directly in online systems. The data can be stolen, corrupted or damaged by hackers and computer viruses.
- Hardware equipment can be stolen – this is a growing problem because of the growth in mobile computing.
Why are the Internet and Wi-Fi networks so difficult to secure?
The Internet is difficult to secure because:
- The Internet is designed to be an open system so anyone can access it.
- Cable modems or Digital Subscriber Lines (DSL) modems use fixed IP addresses that can be identified by hackers making them venerable to attack.
- Internet technology is vulnerable to interception unless run over a secure private network. Voice over IP (VoIP) traffic sent over the public Internet is not encrypted, so conversations can be intercepted.
- E-mail messages can contain viruses and other forms of malware.
Wi-Fi networks are difficult to secure because:
- Wi-Fi networks are vulnerable because they use radio frequency bands to communicate between devices; these can be easily scanned.
- Wi-Fi networks can be penetrated by outsiders using sniffer programs.
- Sometimes Wi-Fi networks do not have basic security protections activated to prevent unauthorised access.
The initial security standard developed for Wi-Fi, called Wired Equivalent Privacy (WEP), is not as effective as the enhanced WAP encryption.
Types of Threats
Malicious software, also referred to as Malware, is any program or file that is harmful to a computer user. Malware includes computer viruses, computer worms, Trojan horses, spyware and keyloggers.
Virus: A computers virus is a small program or programming code that replicates itself by being copied or initiating its copying from one file to another. They can spread to other computers by infecting files on a shared file system.
Worms: A computer worm is a self-replicating virus that resides in active memory and duplicates itself but does not alter files. A worm can exploit security weaknesses to spread itself automatically to other computers on a network.
Trojan horse: A Trojan horse is a program in which malicious or harmful code is contained inside what appears to be harmless programming or data in such a way that it can get control and execute some form of damage to the computer system. A Trojan can also give a hacker remote access to a targeted computer system.
Like a virus, Worms and Trojan horses can also harm a computer system’s data or performance.
Spyware: These are programmes that are resident in computers and gather information about a computer user without their knowledge. Spyware can collect different types of data, including personal information like Internet surfing habits, user logins and bank or credit account information.
Keyloggers: These record keystrokes made on a computer by the person using the keyboard to discover login names and passwords, bank account numbers etc. The tracking or logging is typically done in a hidden manner so that the person using typing is unaware that their actions are being monitored.
A hacker is an individual who intends to gain unauthorised access to a computer system. Hackers gain access to the systems by finding weaknesses in the security protections employed by Web sites or information systems. Hackers may be motivated by many reasons, such as challenge, protest or profit. Hackers can steal goods and information, deface, disrupt or damage a Website or information system.
There are many different types of hackers with different motives such as:
- A white hat hacker attempts to break into a system for non-malicious reasons, such as testing the security of the system.
- A black hat hacker is a hacker who breaches the computer security of a system for personal gain, such as to steal data or information.
DENIAL OF SERVICE (DOS) ATTACK
This is where hackers flood a network or Web server with thousands of false requests for service in order to crash the network of server. A DOS attack will normally involve the use of many computers to overpower a network from many different launch points. Although DOS attacks do not destroy information they can cause a Web site to shut down thus restricting access to that site by legitimate users.
SPOOFING AND SNIFFING
Spoofing involves hiding of a hacker’s identity or email addresses, or redirecting a Web link to a different web site setup up by the hacker. The aim of spoofing is to trick users to provide information such as login names and passwords and account information to the outsider.
A sniffer is an eavesdropping program that monitors network information and can enable hackers to steal information transmitting over the network. The sniffer program searches for passwords or other content in packet of data as they pass through the Internet or other network.
Identity Theft and Phishing
Identity theft is a crime in which someone uses the personal information of others such as a bank account number, driver’s license number, or credit card numbers, to create a false identity or impersonate someone else, for the purpose of committing some type of fraud. The information may be used to obtain credit, goods or services in the name of the victim.
The Internet has made entity theft easier because goods can be purchased online without any personal interaction. Hackers are increasingly targeting personal information and Credit card details on e-commerce sites.
Phishing is an attempt to use deception to unlawfully acquire sensitive information such as bank account details, systems login names and passwords. It normally involves setting up fake Web sites or sending bogus e-mail messages that look like they have originated for the official businesses to deceive users into divulging confidential personal data. The e-mail usually asks recipients to update or confirm records by bank and credit card information, and other confidential data by entering the information at a fake Web site.
Internet Click Fraud
This term refers to a collection of scams and deceptions that inflate advertising bills for companies who are engaging in online advertising. Two common types of click fraud are:
- This type of fraud takes place when another user or competitor purposely clicks on an pay-per-click advertisement
- This type occurs when advertising sites force paid views or clicks to advertisements on their own websites via Spyware. The affiliate is then paid a commission on the cost-perclick that was artificially generated.
With the phenomenal growth in pay-per-click advertising, this form of Internet fraud is on the increase.
Threats from Employee
Some of the largest threats to businesses come from employees. These can include disruptions to service, errors in data entry, accidental deletion if data and diversion of customer credit data and personal information. Employees have access to privileged information, and if internal security procedures are weak, they are often able to stray throughout an organisation’s systems.
Many employees forget their passwords to access computer systems or allow other members of staff to use them, which can compromise the system. Employees can introduce errors by entering faulty data or by not following instructions for processing data and using computer equipment. Information system specialists can also create software errors as they design and develop new software or maintain existing programs.
Software errors pose a constant threat to information systems as they can cause the system to crash, or slow down operation and can lead to large losses in productivity and in some cases cause losses of data. Software can contain hidden bugs in the program code which in addition to impacting performance can open system to hackers.
To correct software flaws once they are identified, the software vendor normally creates segment code called patches to repair the defect in the software.
SECURITY AND CONTROLS
The term Security is used to refer to the policies, rules, procedures and technical solutions that can be used to prevent the following:
- Unauthorised access to systems,
- Alteration of data or software,
- Theft of data, software or equipment,
- Physical damage to information systems hardware.
The Business Value of Security and Controls
Security and control are an important area of information system. Companies that rely on computer systems to support their main business functions can be seriously impacted if a problem occurs with their information systems. For example an organisation relying on an ecommerce site for online sales would by seriously impacted by a security breach that affected the operation of that site. If data stored on information systems such as employee records, trade secrets, customer data were to become accessible to people outside the organisation it would undermine the business, damage its reputation and open the firm to legal liability. Laws such as the Sarbanes-Oxley Act in the US and data protection legalisation in many countries require companies to practice strict electronic records management (ERM) and stick to exacting standards for security privacy and control. Electronic records management (ERM) consists of policies, procedures and tools for managing the retention, destruction, and storage of electronic records.
An increasing amount of the evidence presented in legal cases today is in electronic form. This includes information in hard disks, CDs and digital media as well as e-mail and records of e-commerce transactions. E-mail is currently the most common type of electronic evidence.
In a legal case, a firm may have to respond to a discovery request for access to information that may be used as evidence, and the company is required by law to produce the data. The cost of responding to a discovery request can be high if the company has difficulty collecting the required data or the data have been deleted. Courts can impose stern financial and criminal penalties for improper destruction of electronic documents.
Computer forensics is the scientific approach to collection, examination, authentication, preservation and analysis of data held on or retrieved from computer storage media so that the information can be used as evidence in a court of law.
Information System Controls
Computer systems are controlled by a combination of general controls and application controls.
There are six principal general controls, which include software controls, hardware controls, computer operations controls, data security controls, system implementation controls and administrative controls.
- Computer software security can be promoted by program security controls to prevent unauthorised changes to programs in production systems. Software security is also promoted by system software controls that prevent unauthorised access to system software and log all system activities.
- Computer hardware security can be promoted by locating hardware in restricted rooms where only authorised individuals can access it. Special safeguards against fire, high temperature, and electric power disruptions can be implemented.
- Computer operations controls oversee the work of the computer department, ensuring that procedures for storage and processing of data are followed. Computer operations controls include the setup of computer processing jobs, computer operations and computer backup and restore procedures.
- Data security controls prevent unauthorised changes, deletion or access to data while the data is in use or in storage. Data security software can be configured to restrict access to individual files, data fields or groups of records. Data security software often features logs that record users who access or update files. Data storage media can be physically secured to prevent access by unauthorised personnel.
- System implementation controls ensure that the systems development process is properly controlled and managed. A system development audit checks that formal reviews and signoff were done by users and management at the various stages of the development process. The audit should look for the use of controls and quality assurance techniques for program development, conversion and testing and for complete system documentation.
- Administrative controls are formalised standards, rules, procedures and control disciplines to ensure the organisations general and application controls are properly executed and enforced.
These are specific controls that are associated with each application system such as payroll systems. Their purpose is to ensure that only authorised data enters the system. They can include both automated and manual controls.
There are three principal application controls, which are called input controls, processing controls and output controls.
- Input controls are procedures to check data for accuracy and completeness when they enter the system.
- Processing controls are the routines for establishing that data are complete and accurate during updating. Common controls include control totals, computer matching and run control totals.
- Output controls are measures to ensure that the outputs after processing are accurate, complete and distributed to the correct recipients.
ORGANISATIONAL AND MANAGERIAL FRAMEWORK FOR SECURITY AND CONTROL
A risk assessment determines the level of risk to the firm if a specific activity or process is not properly protected or controlled. It involves determining the value of information resources, their points of vulnerability, the likely occurrence of a problem and the potential for damage.
Security risk analysis involves determining what needs to be protected, what it needs to be protected from and how to protect it and the level of protection that is justified. The aim is to make cost-effective decisions about what needs to be protected. There are two important elements of a risk analysis:
Identify the assets 2. Identify the threats.
The risk analysis process prioritises those assets that need to be protected based on the value of the asset, the probability of the threat, the likely impact of the threat in terms of potential loss and the estimated cost of protection. Once the risks have been prioritised the system builders can concentrate on the control point with the greatest vulnerability and potential for loss.
The following are a list of categories of assets that may need to be assessed:
- Hardware: keyboards, terminals, workstations, personal computers, laptops, printers, disk drives, communication lines, servers, routers, hubs etc.
- Software: source programs, object programs, utilities, diagnostic programs, operating systems, communication programs.
- Data: during execution, stored online, archived off-line, backups, audit logs, databases, and in-transit over communication links.
- People: users, internal IT professionals, external support organisations.
- Documentation: on programs, hardware, systems and local administrative procedures.
- Supplies: paper and digital storage media.
The end result of risk assessment is a plan to implement controls that minimise overall cost while maximise defences.
Risk mitigation is where the organisation takes specific steps against the risk. They can implement controls that are likely to reduce or eliminate the risk or they can develop some way of recovering the asset if a breach occurs.
The following are three risk mitigation strategies that an organisation could adopt:
- Risk acceptance – continuing without controls and accept any loss that occurs
- Risk limitation – implement some controls to reduce the risk
- Risk transference – use other means to compensate for possible loss like purchasing insurance
Security Policy, Acceptable Use Policy and Authorisation Policy
Larger firms typically have a formal corporate security function headed by a chief security officer (CSO). The security group educates and trains users, keeps management aware of security threats and breakdowns and maintains the tools chosen to implement security. The chief security officer is responsible for enforcing the firm’s security policy.
A security policy contains a set of statements that rank information risks to a company. The policy will also specify what the acceptable security goals are and the level of risk that management are willing to accept. It should also identify how these goals will be achieved.
An acceptable use policy (AUP; also sometimes referred to as acceptable usage policy) defines what is considered to be acceptable uses of the firm’s information resources. These resources would typically include computers, telephones, e-mail and the Internet. The policy should set out the company policy regarding privacy, user responsibility and personal use of company equipment.
New staff members will generally be expected to sign an AUP document before they are given access to the information systems. The AUP should also specify what sanctions will be applied if a user does not comply with the AUP.
Authorisation policy determines differing levels of access to information assets for different levels of users. Authorisation management systems establish where and when a user is permitted to access certain parts of a Web site or a corporate database.
Identity management is a much broader concept that includes business processes and tools to identify valid users of system and control access to the systems. It specifies the level of access the different categories of users have.
Ensuring Business Continuity
As companies increasingly rely on digital networks and systems for their business, they need to take added steps to ensure that their systems and applications are always available. Downtime refers to periods of time in which a system is not operational. Several techniques can be used by companies to reduce downtime.
Fault Tolerant Systems
Fault Tolerant Systems are important in environments where interruption on processing has highly undesirable effects, such as in hospital information systems or in securities trading i.e. where interruption to processing is not acceptable. These systems continue to operate after some of their processing components fails. Fault Tolerant Systems are built with redundant components; they generally include several processors in a multiprocessing configuration. If one of the processors fails, the other (or others) can provide degraded, yet effective, service.
High-availability computing, although also designed to maximise application and system availability, helps firms recover quickly from a crash. Fault tolerance promises continuous availability and the elimination of recovery time altogether. High-availability computing environments are a minimum requirement for firms with heavy electronic commerce requirements.
This involves distributing large numbers of access requests across multiple servers. The requests are directed to the most available server so that no single device is overwhelmed. If any server starts to get swamped access requests are forwarded to another server with more capacity.
Mirroring involves the use of a backup server that duplicates all the processes and transactions of the primary server. If for any reason the primary server fails the backup server can take its place without any interruption to service. This approach is quite expensive, because every server must be mirrored by an identical server, whose only purpose is to take its place in the event of a failure.
Researchers are looking at ways to make computer systems recover more rapidly when mishaps occur. This approach, which is called recovery-oriented computing, involves designing computing systems to recover quickly from mishaps and putting in place capabilities and tools to help operators identify the source of the fault to allow the problem to be easily corrected.
Disaster Recovery Planning
Disaster recovery planning involves specifying plans for the restoration of computing and communications services after they have been disrupted by a natural event such as an earthquake, flood, or some human activity. Disaster recovery plans focus primarily on the technical issues involved in getting the systems up and running, such as which files to back up and the maintenance of backup computer systems and having backup telecommunications links in place.
With the increasing importance of information technology for the continuation of business critical functions, combined with the increasing need to have systems operational 24/7, the importance of protecting an organisations data and IT infrastructure in the event of a disruption has become an ever increasing business priority in recent years.
It is estimated that most large companies spend between 2% and 4% of their IT budget on disaster recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. Of companies that had a major loss of business data, up to half don’t reopen, and a high percentage close within two years.
Business Continuity Planning
Business continuity planning focuses on how the company can restore business operations after a disaster occurs. The business continuity plan identifies critical business processes and sets out the actions to be taken to enable mission-critical functions to continue to operate after a disaster occurs and systems stop working.
To check that its security and controls are effective, an organisation must conduct regular systematic audits. A MIS audit identifies all of the controls that govern individual information systems and assesses their effectiveness.
The auditor must acquire a thorough understanding of the operations, physical facilities, telecommunications, control systems, data security objectives, organisational structure, personnel, manual procedures and individual applications of the company.
The auditor usually interviews key individuals, who use and operate the specific information system being audited, about their normal activities and procedures. The audit will examine the various controls that are in place. The auditor will typically trace the flow of sample transactions through the system. The output of the audit lists and ranks all control weaknesses and estimates the probability of threat occurring and estimates the financial and organisational impact of each threat. Management is expected to draw up a plan to address any major threats or weaknesses highlighted in the audit.
TOOLS AND TECHNOLOGIES FOR PROTECTING INFORMATION RESOURCES
There are a range of tools and techniques to help firms protect against or monitor intrusions. These include tools for authentication, firewalls, intrusion detection systems, antivirus software and encryption.
Access control is all the policies and procedures that a company uses to prevent access to systems by unauthorised insiders and outsiders. To gain access a user must be authorised and authenticated. Authentication refers to the ability to know that a person is who they claim to be. Authentication is often established by using passwords to log on to a computer system and also by using passwords to access particular systems and files. However users often forget passwords, share them with colleges or choose passwords that are easy to guess, all of which compromises security. Passwords can also be sniffed when transmitted over a network.
Sometimes systems use tokens (physical devices) such as smart cards for access control.
Firewalls, Intruder Detection Systems and Antivirus Software
Firewalls are used to prevent unauthorised access to private networks or systems (see Figure 8.3). As many organisations are now connecting their networks to the Internet, firewalls are becoming an essential element of an organisation’s defences against unauthorised access. A firewall is a combination of hardware and software that inspects and controls the flow of incoming and outgoing traffic. The firewall is normally placed between the organisation’s private internal networks and an external network such as the Internet. Firewalls can also be used to protect a particular segment of a company’s network from the rest of the network
The firewall is a bit like a gatekeeper that inspects the credentials of each access request before access to the network is granted. The firewall identifies names, Internet Protocol (IP) addresses, applications and other characteristics of incoming traffic. It checks this information against the access rules that have been programmed into the system by the network administrator. The firewall prevents unauthorised communication into and out of the network, allowing the organisation to enforce a security policy on traffic flowing between its network and other networks, including the Internet.
In large organisations, the firewall often resides on a specially designated computer separate from the rest of the network so no incoming request can directly access private network resources. There are a number of firewall screening technologies, including static packet filtering, stateful inspection, Network Address Translation and application proxy filtering.
The following techniques are used in combination to provide firewall protection
Packet filtering examines selected fields in the headers of data packets flowing back and forth between the trusted network and the Internet, examining individual packets in isolation. This filtering technology can miss many types of attacks.
Stateful inspection provides additional security by determining whether packets are part of an ongoing dialogue between a sender and a receiver. It sets up state tables to track information over multiple packets. Packets are accepted or rejected based on whether they are part of an approved conversation or whether they are attempting to establish a legitimate connection.
Network Address Translation (NAT) provides an additional level of protection when implemented along static packet filtering and stateful inspection. NAT hides the IP address of the organisation’s internal host computer(s) to prevent sniffer programs outside the firewall from determining their identity and using that information to penetrate internal system. The internal private IP address is temporarily assigned a public IP address for the duration of the communication. Messages inside the firewall will utilise the hosts own IP address but once the message passes through the firewall it uses the public IP address. The IP address translation occurs in the firewall.
Application proxy filtering examines the application content of packets. A proxy server stops data packets originating outside the organisation, inspects them, and passes a proxy to the other side of the firewall. If a user outside the company wants to communicate with a user inside the organisation, the outside user first “talks” to the proxy application and the proxy application communicates with the firm’s internal computer. Likewise, a computer user inside the organisation goes through the proxy to talk with computers on the outside.
To create a good firewall, an administrator must specify and maintain the internal rules identifying the people, applications, or addresses that are allowed through the firewall those that should be rejected. Firewalls can only deter intruders from penetrating a network. It will not be able to fully prevent intrusions, so it should only be viewed as one element in an overall security plan. To deal effectively with Internet security, a number of additional methods are required.
Intruder Detection Systems
Intrusion detection systems monitor the most vulnerable points in a network to detect and deter unauthorised intruders. These systems also monitor events, as they happen to look for security attacks in progress. An alarm can be notified to network administrators if suspicious activity is detected. These detection systems can be programmed to shut down a part of a network if unauthorised traffic is detected.
Antivirus software checks the computer systems and hard drives for the presence of computer viruses. The software detects and removes the virus from the infected area. To be effective, antivirus software must be continually updated. Some of the companies providing antivirus software include: AVG, McAfee, Symantec and Zone Alarm.
Anti-spyware programs protect against spyware software by either preventing its installation or detecting and removing spyware already installed on a computer system. Many providers of anti-virus products also include anti-spyware functions in their products. Some also supply stand alone anti spyware solutions.
Wireless Networks Security
Wi-Fi security is more easily penetrated because it uses radio waves to transmit data. Unless users take rigorous precautions to protect their computers, it is possible for hackers to obtain access to files. Stronger encryption and authentications systems for Wi-Fi, other than the original Wired Equivalent Privacy (WEP) are being installed in newer systems.
WiFi Protected Access (WPA) and the Wi-Fi Alliance industry trade group’s 802.11i specification help tighten security for wireless LANs. These authentication and encryption systems are used to help protect data travelling between devices over the airwaves.
Encryption and Digital Certificates
Encryption is the coding and scrambling of messages to prevent their access by unauthorised individuals. Encryption offers protection by keeping messages or packets hidden from the view of unauthorised readers. Encryption is crucial for ensuring the success of electronic commerce between the organisation and its customers, and between the organisation and its suppliers and business partners.
Many companies use the Secure Socket Layer (SSL) security method and its successor Transport Layer Security (TLS) that automatically encrypts data passing between your web browser and a merchant’s server. Secure Hypertext Transfer Protocol (S-HTTP) is another protocol used for encrypting data flowing over the Internet, but it is limited to individual messages.
PUBLIC KEY ENCRYPTION
Public-key encryption, also known as asymmetrical encryption, uses two keys; a public key and a private key. The two keys are created using the same mathematical formula meaning that a message encrypted with one key can only be decrypted with the other key.
The sender locates the recipient’s public key in a public directory and uses it to encrypt a message. The message is sent in its encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses their private key to decrypt the data and read the message.
Digital signatures are digital codes attached to an electronically transmitted message that are used to verify the origins and content of the message. It provides a way to associate a message with a sender, performing a similar function to a written signature.
Digital signature software can create a method of verifying that the message, document, or file has not been altered between the time it left the sender and you received it. The Electronic Signatures in Global and National Commerce Act (U.S) authorised the use of digital signatures and promises to enhance electronic commerce and make it easier to do business digitally. Digital Certificate
A digital certificate is a data file used to establish the identity of people and electronic assets so as to protect online transactions. It uses a third party known as a certificate authority to validate the user’s identity. There are many certificate authorities around the world such as VeriSign.
The certificate authority verifies a digital certificate user’s identity off-line. This information is put into a certificate authority server, which generates an encrypted digital certificate containing owner identification information and a copy of the owner’s public key. The certificate authority makes its own public key available publicly either in print or on the Internet. The recipient of an encrypted message uses the certificate authority’s public key to decode the digital certificate attached to the message, verifies it was issued by the certificate authority and then obtains the sender’s public key and identification information contained in the certificate. The recipient of the encrypted message can use this information to send an encrypted reply.
Public key infrastructure (PKI)
This is the use of public key encryption in combination with a certificate authority. This approach is now widely used in e-commerce.
Establishing a good framework for security and control requires skilful balancing of risks, rewards and the firm’s operational capabilities. Designing systems that are neither overcontrolled nor under-controlled and implementing an effective security policy are major management challenges. To address these issues management need to make security and control a higher priority within the firm. Management need to determine what is an appropriate level of control for the organisation.