Essentials of Management Information

Systems
Thirteenth Edition

Chapter 8
Securing Information
Systems

Copyright © 2019 Pearson Education Ltd.

Why Systems are Vulnerable (1 of 2)

• Security
– Policies, procedures, and technical measures used to
prevent unauthorized access, alteration, theft, or
physical damage to information systems
• Controls
– Methods, policies, and organizational procedures that
ensure safety of organization’s assets; accuracy and
reliability of its accounting records; and operational
adherence to management standards

Copyright © 2019 Pearson Education Ltd.

Why Systems are Vulnerable (2 of 2)

• Accessibility of networks
• Hardware problems (breakdowns, configuration errors,
damage from improper use or crime)
• Software problems (programming errors, installation
errors, unauthorized changes)
• Disasters
• Use of networks/computers outside of firm’s control
• Loss and theft of portable devices

Copyright © 2019 Pearson Education Ltd.

Figure 8.1 Contemporary Security
Challenges and Vulnerabilities

Copyright © 2019 Pearson Education Ltd.

Internet Vulnerabilities

• Network open to anyone

• Size of Internet means abuses can have wide impact
• Use of fixed Internet addresses with cable / DSL modems
creates fixed targets for hackers
• Unencrypted VOIP
• Email, P2P, IM
– Interception
– Attachments with malicious software
– Transmitting trade secrets

Copyright © 2019 Pearson Education Ltd.

Wireless Security Challenges

• Radio frequency bands easy to scan

• SSIDs (service set identifiers)
– Identify access points, broadcast multiple times,
can be identified by sniffer programs
• War driving
– Eavesdroppers drive by buildings and try to detect
SSID and gain access to network and resources
– Once access point is breached, intruder can gain
access to networked drives and files
• Rogue access points
Copyright © 2019 Pearson Education Ltd.
Figure 8.2 Wi-Fi Security Challenges

Copyright © 2019 Pearson Education Ltd.

Malicious Software: Viruses, Worms,
Trojan Horses, and Spyware (1 of 2)
• Malware (malicious software)

• Viruses

Rogue software program that attaches itself to other software programs or data files in order to be
executed

• Worms

Independent computer programs that copy themselves from one computer to other computers over
a network

• Worms and viruses spread by

– Downloads and drive-by downloads
– Email, I M attachments

• Mobile device malware

• Social network malware

Copyright © 2019 Pearson Education Ltd.

Malicious Software: Viruses, Worms,
Trojan Horses, and Spyware (2 of 2)
• Trojan horse

Software program that appears to be benign but then does something other than expected.

• S Q L injection attacks

• Ransomware

• Spyware(Small programs install themselves surreptitiously on computers to monitor user Web

surfing activity and serve up advertising)
– Key loggers (Record every keystroke on computer to steal serial numbers, passwords,
launch Internet attacks)
– Other types
▪ Reset browser home page
▪ Redirect search requests
▪ Slow computer performance by taking up memory

Copyright © 2019 Pearson Education Ltd.

Hackers and Computer Crime (1 of 3)

• Hackers v s. crackers
er su

• Activities include:
– System intrusion
– System damage
– Cybervandalism
▪ Intentional disruption, defacement, destruction of
website or corporate information system

Copyright © 2019 Pearson Education Ltd.

•Spoofing
•Misrepresenting oneself by using fake e-mail addresses or
masquerading as someone else
•Redirecting Web link to address different from intended one, with
site masquerading as intended destination

•Sniffer
•Eavesdropping program that monitors information traveling over
network
•Enables hackers to steal proprietary information such as e-mail,
company files, and so on

Copyright © 2019 Pearson Education Ltd.

Hackers and Computer Crime (2 of 3)

•Denial-of-service attacks (DoS)

•Flooding server with thousands of false requests to crash the
network.

•Distributed denial-of-service attacks (DDoS)

•Use of numerous computers to launch a DoS
•Botnets
•Networks of “zombie” PCs infiltrated by bot malware

Copyright © 2019 Pearson Education Ltd.

• Spam
•Computer crime
•Any violations of criminal law that involve a knowledge of
computer technology for their perpetration, investigation, or
prosecution
•Computer may be target of crime:
•Breaching confidentiality of protected computerized data
•Accessing a computer system without authority
•Computer may be instrument of crime:
•Theft of trade secrets
•Using e-mail for threats or harassment
Copyright © 2019 Pearson Education Ltd.
Hackers and Computer Crime (3 of 3)

• Identity theft
– Phishing(Setting up fake Web sites or sending e-mail messages that look
like legitimate businesses to ask users for confidential personal data)

– Evil twins(Wireless networks that pretend to offer trustworthy Wi-Fi

connections to the Internet)

– Pharming(Redirects users to a bogus Web page, even when individual

types correct Web page address into his or her browser)

• Click fraud (Fraudulent clicks on online ads)

• Cyberterrorism
• Cyberwarfare

Copyright © 2019 Pearson Education Ltd.

Internal Threats: Employees

• Security threats often originate inside an organization

• Inside knowledge
• Sloppy security procedures
– User lack of knowledge
• Social engineering(Tricking employees into revealing their passwords by
pretending to be legitimate members of the company in need of information)

• Both end users and information systems specialists are

sources of risk.

Copyright © 2019 Pearson Education Ltd.

Software Vulnerability

• Commercial software contains flaws that create security

vulnerabilities
– Bugs (program code defects)
– Zero defects cannot be achieved
– Flaws can open networks to intruders
• Zero-day vulnerabilities
• Can’t protect against malware you don’t know about

• Surprise: there’s new malware everyday

• Anti-malware and virus programs always behind

Copyright © 2019 Pearson Education Ltd.

• Patches
• Small pieces of software to repair flaws

• Patch management

Copyright © 2019 Pearson Education Ltd.

Encryption and Public Key
Infrastructure (1 of 3)

• Encryption
– Transforming text or data into cipher text that cannot
be read by unintended recipients
– Two methods for encryption on networks
▪ Secure Sockets Layer (SSL) and successor
Transport Layer Security (TLS)
▪ Secure Hypertext Transfer Protocol (S-HTTP)

Copyright © 2019 Pearson Education Ltd.

Encryption and Public Key
Infrastructure (2 of 3)

• Two methods of encryption of messages

– Symmetric key encryption
▪ Sender and receiver use single, shared key
– Public key encryption
▪ Uses two, mathematically related keys: public key
and private key
▪ Sender encrypts message with recipient’s public
key
▪ Recipient decrypts with private key

Copyright © 2019 Pearson Education Ltd.

 Figure 8.6 Public Key Encryption

A public key encryption system can be viewed as a series of public and private keys that lock data when
they are transmitted and unlock the data when they are received. The sender locates the recipient’s public
key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the
Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key
to decrypt the data and read the message.

Copyright © 2019 Pearson Education Ltd.

Encryption and Public Key
Infrastructure (3 of 3)
• Digital certificate
– Data file used to establish the identity of users and
electronic assets for protection of online transactions
– Uses a trusted third party, certification authority (CA), to
validate a user's identity
– CA verifies user’s identity, stores information in CA server,
which generates encrypted digital certificate containing
owner ID information and copy of owner’s public key
• Public key infrastructure (PKI)
– Use of public key cryptography working with certificate
authority
– Widely used in e-commerce
Copyright © 2019 Pearson Education Ltd.
 Figure 8.7 Digital Certificates

Digital certificates help

establish the identity of
people or electronic
assets. They protect
online transactions by
providing secure,
encrypted, online
communication.

Copyright © 2019 Pearson Education Ltd.

Ensuring System Availability

• Online transaction processing requires 100% availability

• Fault-tolerant computer systems
– Contain redundant hardware, software, and power
supply components that create an environment that
provides continuous, uninterrupted service
• Deep packet inspection
• Security outsourcing
– Managed security service providers (MSSPs)

Copyright © 2019 Pearson Education Ltd.