1 of 49

Experiencing M I S

Tenth Edition

Chapter 10

Information Systems Security

2 of 49

“I Think You’ll See That We Really Do Take Security Seriously.” (1 of 2)

Video conference with C I O of Tampa General Hospital (potential iMed Analytics partner).
Security concerns about integrating iMed Analytics with Tampa General’s internal information systems.
Does iMed Analytics have acceptable levels of security? Should an external system be allowed to access medical data and protected systems that Tampa General has worked hard to secure?
Can the system get hacked? Damage their systems? Medical data stolen?

3 of 49

“I Think You’ll See That We Really Do Take Security Seriously.” (2 of 2)

Does iMed Analytics include secure coding practices to protect patient data?
iMed Analytics implements secure coding practices and secure data connections and backend storage.
Parameterization is used to sanitize data coming into the system from IoT medical devices or external data stores.
Users interact with radio buttons, dropdown menus, and other interactive elements.
Reduces the possibility of an S Q L injection attack.
New technology typically brings new risks.

4 of 49

Study Questions

10.1 What is the goal of information systems security?

10.2 How big is the computer security problem?

10.3 How should you respond to security threats?

10.4 How should organizations respond to security threats?

10.5 How can technical safeguards protect against security threats?

10.6 How can data safeguards protect against security threats?

10.7 How can human safeguards protect against security threats?

10.8 How should organizations respond to security incidents?

5 of 49

Information Systems Security Threats

10.1 What is the goal of information systems security?

Figure 10.1 Threat/Loss Scenario

Threat/Loss Scenario: Major elements of IS security

Threat—person or organization seeks to obtain data or other assets illegally, without owner’s permission and often without owner’s knowledge
Vulnerability—opportunity for threats to gain access to individual or organizational assets; for example, when you buy online, you provide your credit card data, and as data is transmitted over Internet, it is vulnerable to threats
Safeguard—measure individuals or organizations take to block threat from obtaining an asset; not always effective, some threats achieve their goal in spite of safeguards
Target—asset desired by threat

Long Description:

The diagram illustrates different “threats” lead to “vulnerabilities.” There are “Safeguards” and the vulnerabilities are blocked by these safeguards. In case when safeguard is ineffective or there is no safeguard, then the vulnerabilities target monetary losses or system attacks, thereby resulting in losses.

6 of 49

Examples of Threat/Loss

10.1 What is the goal of information systems security?

Figure 10.2 Examples of Threat/Loss

If you access what appears to be your bank’s site without using https (i.e., an unsecured site), you have no safeguard at all. Your login credentials can be quickly recorded and resold to other criminals.
The employer has procedures that state employees are not to post confidential data to any public site, such as Google+, but these procedures were either unknown or ignored.
A third safeguard is the training that all employees are given.

Long Description:

The details are respectively as follows:

• Threat/Target: Hacker wants to steal your bank login credentials:

Vulnerability: Hacker creates a phishing site nearly identical to your online banking site.

Safeguard: Only access sites using HTTPS.

Result: No loss.

Explanation: Effective safeguard.

Safeguard: None.

Result: Loss of login credentials.

Explanation: Ineffective safeguard.

• Threat/Target: Employee posts sensitive data to public Facebook group.

Vulnerability: Public access to not-secure group.

Safeguard: Passwords Procedures Employee training.

Result: Loss of sensitive data.

Explanation: Ineffective safeguard.

7 of 49

What are the Sources of Threats?

10.1 What is the goal of information systems security?

Figure 10.3 Security Problems and Sources

Sources of security threats:

Human error examples: (1) employee misunderstands operating procedures and accidentally deletes customer records; (2) employee inadvertently installs an old database on top of current one while doing backing up; (3) physical accidents, such as driving a forklift through wall of a computer room
Computer crime—intentional destruction or theft of data or other system components
Natural disasters—fires, floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature; includes initial loss of capability and service, and losses recovery costs

Long Description:

The two-way table illustrates various problems and sources of losses and threats as follows:

• Loss, Unauthorized data disclosure; Threat, Human error

o Procedural mistakes

• Loss, Incorrect data modification; Threat, Human error

o Procedural mistakes

o Incorrect procedures

o Ineffective accounting controls

o System errors

• Loss, Faulty service; Threat, Human error

o Procedural mistakes

o Development and installation errors

• Loss, Denial of Service (DoS); Threat, Human error

o Accidents

• Loss, Loss of infrastructure; Threat, Human error

o Accidents

• Loss, Unauthorized data disclosure; Threat, Computer Crime

o Pretexting

o Phishing

o Spoofing

o Sniffing

o Hacking

• Loss, Incorrect data modification; Threat, Computer Crime

o Hacking

• Loss, Faulty service; Threat, Computer Crime

o Usurpation

• Loss, Denial of Service (DoS); Threat, Computer Crime

o DoS attacks

• Loss, Loss of infrastructure; Threat, Computer Crime

o Theft terrorist activity

• Loss, Unauthorized data disclosure; Threat, Natural Disasters

o Disclosure during recovery

• Loss, Incorrect data modification; Threat, Natural Disasters

o Incorrect data recovery

• Loss, Faulty service; Threat, Natural Disasters

o Service improperly restored

• Loss, Denial of Service (DoS); Threat, Natural Disasters

o Service interruption

• Loss, Loss of infrastructure; Threat, Natural Disasters

o Property loss

8 of 49

What Types of Security Loss Exists?

10.1 What is the goal of information systems security?

Unauthorized Data Disclosure

Pretexting
Phishing
Spoofing

I P spoofing

Email spoofing

Sniffing

Wardrivers

Hacking
Natural disasters

9 of 49

Incorrect Data Modification

10.1 What is the goal of information systems security?

Procedures incorrectly designed or not followed.
Increasing customer’s discount or incorrectly modifying employee’s salary.
Placing incorrect data on company Web site.
Cause

Improper internal controls on systems.
System errors.
Faulty recovery actions after a disaster.

10 of 49

Faulty Service

10.1 What is the goal of information systems security?

Problems from incorrect system operation.

Incorrect data modification
Systems working incorrectly
Procedural mistakes
Programming errors
I T installation errors
Usurpation
Denial of service (unintentional)
Denial-of-service attacks (intentional)

11 of 49

Denial of Service

10.1 What is the goal of information systems security?

Denial of service (unintentional)

Human error in following procedures (or lack of procedures) results in Web server shutdowns
Starting a computationally intensive application can prevent normal operations from taking place

Denial-of-service attacks (intentional)

Malicious outsider floods a Web server with millions of bogus service requests so that normal requests cannot be processed

Natural disasters can cause systems to fail

12 of 49

Loss of Infrastructure

10.1 What is the goal of information systems security?

Human accidents
Theft and terrorist events
Disgruntled or terminated employee
Natural disasters

Advanced Persistent Threat

A P T 41 (Double Dragon) (China)
Targeting healthcare and technology companies
Focuses on hacking supply chains, cryptocurrency manipulation, intelligence gathering, injecting malware into legitimate software updates

13 of 49

Goal of Information Systems Security

10.1 What is the goal of information systems security?

Find appropriate trade-off between risk of loss and cost of implementing safeguards.
Protective actions.

Use antivirus software.
Delete browser cookies?
Make appropriate trade-offs to protect yourself and your business.

14 of 49

Computer Crime Attacks: Percent of Attacks by Type

10.2 How big is the computer security problem?

Figure 10.4 Percent of Companies Experiencing Attacks by Attack Type

Source: Based on Accenture, The Cost of Cyber Crime Study, March 2021.

Figure 10-4 shows the results of a survey performed by Accenture and the Ponemon Institute, a consulting group that specializes in computer crime.
It shows the percentage of companies experiencing the most common types of attacks.
Compromised Credentials and Cloud Misconfiguration are the most frequently experienced types of attack (both 19%).

Long Description:

The horizontal axis represents percentages ranging from 0 to 20 in increments of 2. The vertical axis represents attack types. The details of approximate data of the graph are as follows:

• Compromised Credentials: 19 percent.

• Cloud Misconfiguration: 19percent.

• Vulnerability in Third-Party Software: 16 percent.

• Phishing: 14 percent.

• Physical Security Compromise: 10 percent.

• Malicious Insider: 7 percent.

• Misconfiguration: 6 percent.

• Business Email Compromise: 5 percent.

• Social Engineering: 3 percent.

• Other: 1 percent.

15 of 49

Costs of Computer Crime by Attack Type

10.2 How big is the computer security problem?

Figure 10.5 Average Annual Computer Crime Costs by Attack Type

Source: Based on I B M, Cost of a Data Breach Report, April 2020.

16 of 49

Cost of the Consequences of Attack

10.2 How big is the computer security problem?

Figure 10.6 Data Breach Costs by Category

Source: Based on I B M, Cost of a Data Breach Report, April 2020.

17 of 49

Accenture Study Findings (2019)

10.2 How big is the computer security problem?

Credential attacks and cloud misconfigurations are serious security threats.
Business disruption is a major cost of computer crime.
Security safeguards work.

18 of 49

Personal Security Safeguards

10.3 How should you respond to security threats?

Figure 10.7 Personal Security Safeguards

Take security seriously
Create strong passwords
Use multiple passwords
Send no valuable data via email or I M
Use https at trusted, reputable vendors
Remove high-value assets from computers
Clear browsing history, temporary files, and cookies (CCleaner or equivalent)
Regularly update antivirus software
Demonstrate security concern to your fellow workers
Follow organizational security directives and guidelines
Consider security for all business initiatives

19 of 49

Security Policies

10.4 How should organizations respond to security threats?

Senior management creates company-wide policies:

What sensitive data will be stored?
How will that data be processed?
Will data be shared with other organizations?
How can employees and others obtain copies of data stored about them?
How can employees and others request changes to inaccurate data?

Senior management manages risks.

20 of 49

Security Safeguards and the Five Components

10.4 How should organizations respond to security threats?

Figure 10.8 Security Safeguards as They Relate to the Five Components

An easy way to remember information systems safeguards is to arrange them according to the five components of an information system.

Long Description:

The five components of the security safeguards are “Hardware,” “Software,” “Data,” “Procedures,” and “People.” The two components, hardware, and software are together labeled as “Technical Safeguards.” Technical safeguards include “Identification and authorization,” “Encryption,” “Firewalls,” “Malware protection,” and “Application design.” The component data is further labeled as “Data Safeguards.” Data safeguards include “Data rights and responsibilities,” “Passwords,” “Encryption,” “Backup and recovery,” and “Physical security.” The two components, procedure and people are together labeled as “Human Safeguards.” Human safeguards include “Hiring,” “Training,” “Education,” “Procedure design,” “Administration,” “Assessment,” “Compliance,” and “Accountability.”

21 of 49

Technical Safeguards

10.5 How can technical safeguards protect against security threats?

Figure 10.9 Technical Safeguards

22 of 49

The Essence of h t t p s (S S L or T L S)

10.5 How can technical safeguards protect against security threats?

Figure 10.10 The Essence of https (S S L or T L S)

Summary of how SSL/TLS works when you communicate securely with a Web site:

1. Your computer obtains public key of Web site to which it will connect.

2. Your computer generates a key for symmetric encryption.

3. Your computer encodes key using Web site’s public key, then sends encrypted symmetric key to Web site.

4. Web site decodes symmetric key using its private key.

5. Now, your computer and Web site communicate using symmetric encryption.

Note: With asymmetric encryption, two keys are used; one key encodes the message, and the other key decodes the message. Symmetric encryption is simpler and much faster than asymmetric encryption.

Long Description:

The diagram illustrates the essence of HTTPS as follows:

• 1. Your computer obtains public key of the Web site.

• Web Site Public Key (from Web Site to You)

• 2. Your computer generates key for symmetric encryption.

• 3. Your computer encrypts symmetric key using Web site’s public key.

• Symmetric key encrypted using Web Site’s Public Key (from You to Web Site)

• 4. Web site decodes your message using its private key. Obtains key for symmetric encryption.

• Communications using symmetric encryption (interrelation between You and Web site)

• 5. All communications between you and Web site use symmetric encryption.

23 of 49

Use of Multiple Firewalls

10.5 How can technical safeguards protect against security threats?

Figure 10.11 Use of Multiple Firewalls

Organizations normally use multiple firewalls. Perimeter firewall sits outside organizational network; is first device that Internet traffic encounters.
Packet-filtering firewall examines each part of a message and determines whether to let that part pass. To make this decision, it examines source address, destination address(es), and other data. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind firewall, prohibit traffic from legitimate, but unwanted, addresses, such as competitors’ computers, and filter outbound traffic.
No computer should connect to the Internet without firewall protection. Many ISPs provide firewalls for their customers. By nature, these firewalls are generic. Large organizations supplement such generic firewalls with their own. Most home routers include firewalls, and Microsoft Windows has a built-in firewall as well. Third parties also license firewall products.

Long Description:

The diagram shows a “Local Area Network” comprising “Personal Computer 1,” “Personal Computer 2,” “Personal Computer 3,” and “Personal Computer 4.” All computers are connected to the “Internal Firewall” which is further interconnected to the “Perimeter Firewall.” The perimeter firewall is also interconnected to the “Internet.” The internet firewall is further interconnected to the “Server Network” comprising the “Mail Server” and “Web Server.”

24 of 49

Malware Protection (Viruses, Spyware, Adware)

10.5 How can technical safeguards protect against security threats?

Install antivirus and antispyware programs.
Scan frequently.
Update malware definitions.
Open email attachments only from known sources.
Install software updates promptly.
Browse only reputable Internet neighborhoods.

25 of 49

Types of Malware and Spyware/Adware Symptoms

10.5 How can technical safeguards protect against security threats?

Malware

Viruses

Payload

Trojan horses
Worms
Spyware

Keyloggers

Adware
Ransomware

Figure 10.12 Spyware and Adware Symptoms

Slow system startup
Sluggish system performance
Many pop-up advertisements
Suspicious browser homepage changes
Suspicious changes to the taskbar and other system interfaces
Unusual hard-disk activity

Payload is program code that causes unwanted activity. It can delete programs or data, or modify data in undetected ways.
Spyware programs are installed on the user’s computer without the user’s knowledge or permission. It resides in background and, unknown to the user, observes user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations.
Some malicious spyware, called key loggers, captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses such as observing what users do, Web sites visited, products examined and purchased, and so forth.
Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads. Adware can also change the user’s default window or modify search results and switch the user’s search engine.

26 of 49

Design for Secure Applications

10.5 How can technical safeguards protect against security threats?

S Q L injection attack

User enters S Q L statement into a form instead of a name or other data.
Result

S Q L code becomes part of database commands issued.
Improper data disclosure, data damage and loss possible.

Well designed applications make injections ineffective.

27 of 49

Data Safeguards

10.6 How can data safeguards protect against security threats?

Data safeguards
Data administration
Database administration
Key escrow

Figure 10.13 Data Safeguards

Define data policies
Data rights and responsibilities
Rights enforced by user accounts authenticated by passwords
Data encryption
Backup and recovery procedures
Physical security

28 of 49

Legal Safeguards for Data

10.6 How can data safeguards protect against security threats?

Legal standards specify safeguards organizations must follow regarding data collected and stored
Payment Card Industry Data Security Standard (P C I D S S)

Specifies secure storage and processing requirements for credit card data
Gramm-Leach-Bliley Act (G L B A)—protections for consumer financial data stored by financial institutions
Health Insurance Portability and Accountability Act (H I P P A)—standards that govern health data access and protection.

29 of 49

Security Policies for In-House Staff (1 of 2)

10.7 How can human safeguards protect against security threats?

Position definition

Separate duties and authorities
Determine least privilege
Document position sensitivity

Hiring and screening

Figure 10.14 Security Policy for In-House Staff (continues on next slide)

30 of 49

Security Policies for In-House Staff (2 of 2)

10.7 How can human safeguards protect against security threats?

Dissemination and enforcement

Responsibility
Accountability
Compliance

Termination

Friendly
Unfriendly

Figure 10.14 Security Policy for In-House Staff (continues on next slide)

31 of 49

Human Safeguards for Nonemployee Personnel

10.7 How can human safeguards protect against security threats?

Temporary personnel, vendors, partner personnel (employees of business partners), and the public.
Require vendors and partners to perform appropriate screening and security training.
Contract specifies security responsibilities.
Provide accounts and passwords with least privilege and remove accounts as soon as possible.

32 of 49

Public User Considerations

10.7 How can human safeguards protect against security threats?

Public users of Web sites and other openly accessible information systems cannot be held accountable for security violations.

Hardening—reduce the system’s vulnerabilities

Special versions of operating system.
Lock down or eliminate operating systems features and functions not required by application.

Protect such users from internal company security problems.

33 of 49

Account Administration

10.7 How can human safeguards protect against security threats?

Account Management

Standards for new user accounts, modification of account permissions, removal of unneeded accounts.

Password Management

Users change passwords frequently.

Help Desk Policies

Provide means of authenticating users.

34 of 49

Sample Account Acknowledgement Form

10.7 How can human safeguards protect against security threats?

Figure 10.15 Sample Account Acknowledgement Form

I hereby acknowledge personal receipt of the system password(s) associated with the user IDs listed below. I understand that I am responsible for protecting the password(s), will comply with all applicable system security standards, and will not divulge my password(s) to any person. I further understand that I must report to the Information Systems Security Officer any problem I encounter in the use of the password(s) or when I have reason to believe that the private nature of my password(s) has been compromised.

Source: National Institute of Standards and Technology, Introduction to Computer Security: The N I S T Handbook, Publication 800–812.

35 of 49

Systems Procedures

10.7 How can human safeguards protect against security threats?

Figure 10.16 Systems Procedures

Blank	System Users	Operations Personnel
Normal Operation	Use the system to perform job tasks, with security appropriate to sensitivity.	Operate data center equipment, manage networks, run Web servers, and do related operational tasks.
Backup	Prepare for loss of system functionality.	Back up Website resources, databases, administrative data, account and password data, and other data.
Recovery	Accomplish job tasks during failure. Know tasks to do during system recovery.	Recover systems from backed up data. Perform role of help desk during recovery.

36 of 49

Security Monitoring (1 of 2)

10.7 How can human safeguards protect against security threats?

Server activity logs

Firewall log

Lists of all dropped packets, infiltration attempts, unauthorized access, attempts from within the firewall.

D B M S

Successful and failed logins.

Web servers

Voluminous logs of Web activities.

P C O/S produce record of log-ins and firewall activities.

37 of 49

Security Monitoring (2 of 2)

10.7 How can human safeguards protect against security threats?

Employ utilities to assess vulnerabilities.
Honeypots for computer criminals to attack.
Investigate security incidents.
Constantly monitor to determine adequacy of existing security policy and safeguards.

38 of 49

Factors in Incident Response

10.8 How should organizations respond to security incidents?

Figure 10.17 Factors in Incident Response

Have plan in place
Centralized reporting
Specific responses

Speed
Preparation pays
Don’t make problem worse

Practice

39 of 49

How Does the Knowledge in This Chapter Help You?

Awareness of:

Threats to computer security as an individual, business professional, employer
Risk trade offs
Technical, data, human safeguards to protect computing devices and data
How organizations should respond to security threats
How organizations should respond to security incidents
Importance of creating and using strong passwords!

40 of 49

New from Black Hat

So What?

Deepfakes: high-fidelity photos or videos created using powerful artificial intelligence and machine learning technologies in which the likeness of one individual is replaced by the likeness of another. How to identify deepfakes and protect the integrity of information?
Integrations between IoT devices and apps offer many potential vulnerabilities. How to balance easy integration and security?
How to provide accurate election results with secure election technology?

41 of 49

Using Tech to Mitigate COVID-19 Risks

Security Guide

Organizations have several tech-oriented options to help reduce risk and promote a safe employee environment:

Smartphone apps to track employee movements and interactions with others
Thermal cameras to identify employees with a fever
Behavioral surveys

Do organizations have the right to collect this data?
Once the need for COVID-19 monitoring diminishes, will employers stop collecting the employee tracking data?

42 of 49

Cyber Systems Engineer

Career Guide

Chris Heywood at Northrop Grumman

Q. What attracted you to this field?

A. “I always thought it would be awesome to know how to break into systems and know how to defend systems from hackers…I decided that I would love to protect myself and others from the malicious intents of hackers and to keep our information safe.”

Q. What advice would you give to someone who is considering working in your field?

A. “Work really hard to understand how information technology works and don’t be afraid to experiment with it. Set up labs and virtual machines to help you understand how networking, system administration, and cybersecurity work. Apply the things that you learn in classes and get as much practical experience as you can..”

43 of 49

White Hat, Blackballed

Ethics Guide

Understand how and why customers make purchase decisions, then customize the site for each visitor to increase purchases.
Web sites are now storing and analyzing everything that visitors do on the site—not just pages they visit or the products that they add to a shopping cart, but all of the mouse movements, keystrokes, and scrolling behavior, too.

Researchers can analyze mouse movement to uncover emotion.

Could be sold to 3rd party.

44 of 49

Active Review

10.1 What is the goal of information systems security?

10.2 How big is the computer security problem?

10.3 How should you respond to security threats?

10.4 How should organizations respond to security threats?

10.5 How can technical safeguards protect against security threats?

10.6 How can data safeguards protect against security threats?

10.7 How can human safeguards protect against security threats?

10.8 How should organizations respond to security incidents?

45 of 49

CrowdStrike

Case Study 10

Lost 40 million credit and debit card numbers.
Later, announced additional 70 million customer accounts stolen that included names, emails, addresses, phone numbers, etc.
98 million customers affected.

31% of 318 million people in U.S.

Stolen from point-of-sale (P O S) systems at Target stores during holiday shopping season.

46 of 49

How Did They Do It?

Case Study 10

Bought malware
Spear-phished users at Fazio to get login credentials on Target vendor server.
Attackers escalated privileges, accessed Target’s internal network, and planted malware.
Trojan.P O S R A M extracted data from P O S terminals.
Sent data to drop servers

Figure 10.18 Target Data Breach

47 of 49

Damage (1 of 2)

Case Study 10

Card and pin numbers of 2 million cards for $26.85 each ($53.7M).
Costs

Upgraded P O S terminals to support chip-and-pin cards,
Increased insurance premiums,
Paid legal fees,
Settled with credit card processors,
Paid consumer credit monitoring,
Paid regulatory fines.

48 of 49

Damage (2 of 2)

Case Study 10

Loss of customer confidence and drop in revenues (46% loss for quarter).
Direct loss to Target as high as $450 million.
C I O resigned, C E O paid $16 million to leave.
Cost credit unions and banks more than $200 million to issue new cards.
Insurers demand higher premiums, stricter controls, and more system auditing.
Consumers must watch their credit card statements, and fill out paperwork if fraudulent charges appear.

49 of 49

Copyright

This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.