Securing Information Systems

1
8
Chapter
Securing Information Systems
2
Management Information Systems Chapter 8 Securing
Information Systems
LEARNING OBJECTIVES

• Analyze why information systems need special
  protection from destruction, error, and abuse.
• Assess the business value of security and
  control.
• Design an organizational framework for security
  and control.
• Evaluate the most important tools and
  technologies for safeguarding information
  resources.

3
Management Information Systems Chapter 8 Securing
Information Systems
Phishing A Costly New Sport for Internet Users

• Problem Large number of vulnerable users of
  online financial services, ease of creating bogus
  Web sites.
• Solutions Deploy anti-phishing software and
  services and a multilevel authentication system
  to identify threats and reduce phishing attempts.
• Deploying new tools, technologies, and security
  procedures, along with educating consumers,
  increases reliability and customer confidence.
• Demonstrates ITs role in combating cyber crime.
• Illustrates digital technology as part of a
  multilevel solution as well as its limitations in
  overcoming discouraged consumers.

4
Management Information Systems Chapter 8 Securing
Information Systems
Systems Vulnerability and Abuse

• Why systems are vulnerable
• Internet vulnerabilities
• Wireless security challenges
• Malicious software Viruses, worms, Trojan
  horses, and spyware
• Hackers and cybervandalism
• Spoofing and sniffing
• Denial-of-service attacks

5
Management Information Systems Chapter 8 Securing
Information Systems
Systems Vulnerability and Abuse
Contemporary Security Challenges and
Vulnerabilities
The architecture of a Web-based application
typically includes a Web client, a server, and
corporate information systems linked to
databases. Each of these components presents
security challenges and vulnerabilities. Floods,
fires, power failures, and other electrical
problems can cause disruptions at any point in
the network.
Figure 8-1
6
Management Information Systems Chapter 8 Securing
Information Systems
Systems Vulnerability and Abuse
Worldwide Damage from Digital Attacks
This chart shows estimates of the average annual
worldwide damage from hacking, malware, and spam
since 1999. These data are based on figures from
mi2G and the authors.
Figure 8-3
7
Management Information Systems Chapter 8 Securing
Information Systems
Systems Vulnerability and Abuse
Bot Armies and Network Zombies

• Read the Interactive Session Technology, and
  then discuss the following questions
• What is the business impact of botnets?
• What management, organization, and technology
  factors should be addressed in a plan to prevent
  botnet attacks?
• How easy would it be for a small business to
  combat botnet attacks? A large business?

8
Management Information Systems Chapter 8 Securing
Information Systems
Systems Vulnerability and Abuse

• Computer crime and cyberterrorism
• Identity theft
• Phishing
• Evil twins
• Pharming
• Click fraud
• Cyberterrorism and cyberwarfare
• Internal threats Employees
• Software vulnerability

9
Management Information Systems Chapter 8 Securing
Information Systems
Business Value of Security and Control

• Legal and regulatory requirements for electronic
  records management
• ERM
• HIPAA
• Gramm-Leach-Bliley
• Sarbanes-Oxley
• Electronic evidence and computer forensics

10
Management Information Systems Chapter 8 Securing
Information Systems
Establishing a Framework for Security and Control

• Risk Assessment
• Security policy
• Ensuring business continuity
• Disaster recovery planning and business
  continuity planning
• Security outsourcing
• The role of auditing

11
Management Information Systems Chapter 8 Securing
Information Systems
Technologies and Tools for Security

• Access control
• Firewalls, intrusion detection systems, and
  antivirus software
• Securing wireless networks
• Encryption and public key infrastructure

12
Management Information Systems Chapter 8 Securing
Information Systems
Technologies and Tools for Security
A Corporate Firewall
The firewall is placed between the firms private
network and the public Internet or another
distrusted network to protect against
unauthorized traffic.
Figure 8-6
13
Management Information Systems Chapter 8 Securing
Information Systems
Technologies and Tools for Security
Unilever Secures Its Mobile Devices

• Read the Interactive Session Management, and
  then discuss the following questions
• How are Unilever executives wireless handhelds
  related to the companys business performance?
• Discuss the potential impact of a security breach
  at Unilever.
• What management, organization, and technology
  factors had to be addressed in developing
  security policies and procedures for Unilevers
  wireless handhelds?
• Is it a good idea to allow Unilever executives to
  use both BlackBerrys and cell phones? Why or why
  not?

14
Management Information Systems Chapter 8 Securing
Information Systems
Technologies and Tools for Security
Public Key Encryption
A public key encryption system can be viewed as a
series of public and private keys that lock data
when they are transmitted and unlock the data
when they are received. The sender locates the
recipients public key in a directory and uses it
to encrypt a message. The message is sent in
encrypted form over the Internet or a private
network. When the encrypted message arrives, the
recipient uses his or her private key to decrypt
the data and read the message.
Figure 8-7