management information systems, moving business forward

Untitled-1 1 12/19/11 11:06 AM

7CHAPTER OUTLINE

7.1 Introduction to Information Security

7.2 Unintentional Threats toInformation Systems

7.3 Deliberate Threats toInformation Systems

7.4 What Organizations AreDoing to Protect Information Resources

7.5 Information Security Controls

Information Security

LEARNING OBJECTIVES >>>

1. Discuss the fi ve factors contributing to the increasing vulnerability of information resources, and give one specifi c example of each factor.

2. Compare and contrast human mistakes and social engineering, and give a specifi c example of each.

3. Describe the nine types of deliberate attacks.4. Defi ne the three risk mitigation strategies, and give an example of each in the

context of you owning a home.5. Identify the three major types of controls that organizations can use to protect

their information resources, and give an example of each.

c07InformationSecurity.indd 36 06/12/11 5:58 PM user-F392c07InformationSecurity.indd Page 236 06/12/11 5:58 PM user-F392 /Users/user-F392/Desktop/Users/user-F392/Desktop

OPENING CASE > Thomas Tax Service

RUBY’S CLUBIt seems that every day Ruben and Lisa hear of an attack where credit card information has been stolen, disgruntled employees have shared passwords (private combinations of characters that only the user should know) and stolen or sold customer data, computers have been physically stolen from behind locked doors, and other customer information has been compromised. Th ey are very concerned about information security!

When Dwight Thomas tried to boot up his computer one morning, he realized he had a major problem. His tax service relied completely on the QuickBooks (http://quickbooks.intuit.com) program to maintain all of his customers’ fi nancial information. After multiple attempts to resurrect his computer, he called a local computer repair service. The technician determined that the motherboard was bad and he would require a $5,000 minimum charge to restore Dwight’s data. And what was the worst part of it all? Dwight had no backup. So, he purchased a new computer and began the long and arduous process of manually restoring his data from his paper fi les.

After this incident, Dwight put a backup plan in place. All of his three employees now have a USB drive for QuickBooks fi le backups. Dwight also purchased a fi reproof safe. Each Friday, he takes the USB drives out of the safe and all the employees back up their fi les, using the built-in backup system in QuickBooks. Dwight keeps the three most recent backups. When the employees back up each Friday, QuickBooks erases the oldest backup and creates a new one. Therefore, if there is a problem while the new backup is being created, two safe backups can still be accessed. Although this process seems simple, it is much more effective than not having a backup at all. Given the nature of Dwight’s small business, his system is enough to keep his business going in spite of any computer failure.

Recently, Dwight experi-enced another computer failure. Fortunately, the problem turned out to be only a few corrupted fi les that the local technician quickly repaired for $40. However, Dwight had peace of mind knowing that if he had to start over from scratch with a new com-puter, he could easily restore his data and continue his business operations.

Sources: Compiled from author interview with Dwight Thomas, owner of Thomas Tax Service.

Questions

1. Why did Dwight restore his data manually by himself?

2. What are the advantages and disadvantages of Dwight’s backup plan?

A solid backup plan is critical to information security. As you consider this case, think about your personal data—pictures, videos, schoolwork, fi nancial informa-tion, or any digital fi les that you would like to have if you lost your computer. A duplicate backup is easy to keep, but you have to be diligent about backing up your essential fi les. For a small business, this process is even more important because any loss of data could mean lost customers and lost revenue.

c07InformationSecurity.indd Page 237 06/12/11 5:58 PM user-F392c07InformationSecurity.indd Page 237 06/12/11 5:58 PM user-F392 /Users/user-F392/Desktop/Users/user-F392/Desktop

7.1 I ntroduction to Information Security Security can be defi ned as the degree of protection against criminal activity, danger, damage, and/or loss. Following this broad defi nition, information security means protecting an organi-zation’s information and information systems (known as an organization’s information resources ) from unauthorized access, use, disclosure, disruption, modifi cation, or destruction. Clearly, information and information systems can be compromised by deliberate criminal actions and

238 7 l Information Security

>>> Ruben and Lisa want to know what kind of threats are really out there and which threats might impact a nightclub. Can these threats be categorized so they can better understand them? In what ways might Ruby’s be vulnerable to various information security threats? How much training do employees need to create a secure environment for their customers’ private information?

INTRODUCTIONInformation security is closely related to IT and raises signifi cant questions. For example, how do organiza-tions show due diligence in protecting sensitive, clas-sifi ed information? Is the cause of security breaches in organizations managerial, technological, or some com-bination of both? How should organizations protect their information more eff ectively? Th e most important question raised in this chapter, however, is whether it is possible to secure the Internet. Th e answer to this ques-tion impacts each and every one of us.Th e answers to these and other questions are not clear. As you learn about information security in the context of information technology, you will acquire a better understanding of these issues, their importance, their relationships, and their trade-off s.Information technologies, properly used, can have enormous benefi ts for individuals, organizations, and entire societies. So far, you have learned about diverse ways in which IT has made businesses more productive, effi cient, and responsive to consumers. You have explored areas such as medicine and philanthropy in which IT has improved people’s health and well-being. Unfortunately, information technologies can also be

misused, oft en with devastating consequences. Consider the following:

• Individuals can have their identities stolen.• Organizations’ customer information can be stolen,

leading to fi nancial losses, erosion of customer confi dence, and legal action.

• Countries face the threat of cyberterrorism and cyberwarfare. Cyberwarfare is a critical problem for the U.S. government. In fact, President Barack Obama’s 2009 stimulus package contained billions of dollars to upgrade the government’s digital defenses.

In fact, the misuse of information technologies has come to the forefront of any discussion of IT. For example, the Ponemon Institute (www.ponemon.org), a research fi rm, found that organizations spent an average of $6.75 million for each security breach in 2010.Th e study measured the direct costs of a data breach, such as hiring forensic experts, notifying custom-ers, setting up telephone hotlines to fi eld queries from concerned or aff ected customers, off ering free credit monitoring subscriptions, and discounts for future products and services. Th e study also measured more intangible costs of a breach, such as the loss of business from increased customer turnover (known as customer churn) and decreases in customer trust.According to the study, employee negligence caused many of the data breaches. Th is fi nding confi rms that organizational employees are a weak link in informa-tion security. As a result, it is very important for you to learn about information security so that you will be better prepared when you enter the workforce.


by anything that can impair the proper functioning of an organization’s information systems.

Before you continue, let’s look at these key terms. Organizations have huge amounts of infor-mation and numerous information systems that are subject to many threats. A threat to an infor-mation resource is any danger to which a system may be exposed. Th e exposure of an information resource is the harm, loss, or damage that can result if a threat compromises that resource. An information resource’s vulnerability is the possi-bility that the system will suff er harm by a threat.

A number of factors are contributing to the increasing vulnerability of organizational informa-tion resources, making it much more diffi cult to secure them. Before you learn about these factors, they are listed here:

• Today’s interconnected, interdependent, wirelessly networked business environment • Smaller, faster, cheaper computers and storage devices • Decreasing skills necessary to be a computer hacker • International organized crime taking over cybercrime • Lack of management support

Th e fi rst factor is the evolution of the information technology resource from mainframe only to today’s highly complex, interconnected, interdependent, wirelessly networked busi-ness environment. Th e Internet now enables millions of computers and computer networks to freely and seamlessly communicate with one another. Organizations and individuals are exposed to a world of untrusted networks and potential attackers. A trusted network , in general, is any network within your organization. An untrusted network , in general, is any network external to your organization. In addition, wireless technologies enable employees to compute, communicate, and access the Internet anywhere and anytime. Signifi cantly, wireless is an inherently nonsecure broadcast communications medium.

Th e second factor refl ects the fact that modern computers and storage devices (e.g., thumb drives or fl ash drives) continue to become smaller, faster, cheaper, and more por-table, with greater storage capacity. Th ese characteristics make it much easier to steal or lose a computer or storage device that contains huge amounts of sensitive information. Also, many more people are able to aff ord powerful computers and connect inexpensively to the Internet, thus increasing the target size of an attack on information assets.

Th e third factor is that the computing skills necessary to be a hacker are decreasing . Th e reason is that the Internet contains information and computer programs (called scripts ) that users with few skills can download and use to attack any information system connected to the Internet. (Security experts can also use these scripts for legitimate purposes, such as testing the security of various systems.)

Th e fourth factor is that international organized crime is taking over cybercrime . Cybercrime refers to illegal activities taking place over computer networks, particularly the Internet. VeriSign’s iDefense Security Intelligence Services (http://labs.idefe n se.com) provides security information to governments and Fortune 500 companies. VeriSign states that groups of well-organized criminals have taken control of a global billion-dollar crime network. Th e network, powered by skillful hackers, targets known soft ware security weak-nesses. Th ese crimes are typically nonviolent but quite lucrative. For example, the losses from armed robberies average hundreds of dollars, and those from white collar crimes aver-age tens of thousands of dollars. In contrast, losses from computer crimes average hundreds of thousands of dollars. Also, these crimes can be committed from anywhere in the world, at any time, eff ectively providing an international safe haven for cybercriminals . Computer-based crimes cause billions of dollars in damages to businesses each year, including the costs to repair information systems and the costs of lost business.

Human mistakes such as unattended equipment often leave resources vulnerable to theft. (Source: George Doyle/Image Source Limited)

Introduction to Information Security 239



Th e fi ft h, and fi nal, factor is lack of management support. For the entire organization to take security policies and procedures seriously, senior managers must set the tone. Ulti-mately, however, lower-level managers may be even more important. Th ese managers are in close contact with employees every day and thus are in a better position to determine whether employees are following security procedures.

BEFORE YOU GO ON . . . 1. Defi ne information security. 2. Defi ne a threat, an exposure, and a vulnerability . 3. Why are the skills needed to be a hacker decreasing?

Student Activity 7.1

Objective: The objective of this exercise is to become familiar with information security and how it is done.

Chapter Connection: This case relates to Chapter 7, Section 7.1, and the importance of information security. When doing business over the Web, it is important to protect an organization’s information and information systems (known as an organization’s information resources) from unauthorized access, use, disclosure, disruption, modifi cation, or destruction.

Prerequisites: You should read Section 7.1 before doing this exercise to become familiar with security.

Activity:Identity theft has become a major concern for those buying merchandise via Web sites. We all want to be sure our personal data is transferred securely. VeriSign is a company that is in the business of protecting Web sites and Web users. Visit the following Web site to read about it:

www.verisign.com/ssl/ssl-information-center/how-ssl-security-works

Deliverables:Read the article and then answer the following questions.

1. Describe the fi ve steps that occur when a browser connects to a secure Web site.

2. What are SSL certifi cates?

3. What are the normal visual cues that a connection is secure?

4. What is the extended verifi cation that is seen on some sites?

Multiple Choice Questions:

1. How does an SSL certifi cate protect sites?

(a) It enables encryption of sensitive information.(b) It is a unique credential. (c) It authenticates the owner.(d) All of the above.

2. What is the fi rst step in setting up a secure connection?

(a) Server sends back digital acknowledgement.(b) Browser checks if it trusts SSL certifi cate. (c) Encrypted data are shared.(d) Browser requests the server identify itself.

3. What is the last step of setting up a secure connection?

(a) Server sends back digital acknowledgement.(b) Browser checks if it trusts SSL certifi cate. (c) Encrypted data are shared.(d) Browser requests the server to identify itself.

4. Strong encryption is how many bits?

(a) 8 (b) 64(c) 128 (d) 256

5. What company is in the identity and authentication security business to secure and certify Web sites?

(a) Microsoft (b) IBM(c) InfoSys (d) VeriSign

Discussion Question:Discuss the benefi ts of using VeriSign on a business Web site for both the company and the user.


Unintentional Threats to Information Systems 241

7.2 Unintentional Threats to Information Systems Information systems are vulnerable to many potential hazards and threats, as you see in Figure 7.1. Th e two major categories of threats are unintentional threats and deliberate threats. In this section you will learn about unintentional threats. Th e next section addresses deliberate threats.

Unintentional threats are those acts with no malicious intent. Human errors are unin-tentional and represent a serious threat to information security.

Figure 7.1 Security threats.

CORPORATE LAN (INTRANET)

EMPLOYEES

● Programming of applications to function contrary to specifications

Systems Programmer

● Bypassing security mechanisms● Disabling security mechanisms● Installing non-secure systems

Operators

● Duplication of confidential reports● Initializing non-secure system● Theft of confidential material

Users

● Data entry errors● Weak passwords● Lack of training

Application Programmer

Malw

are

(viruses, worm

s, etc.)

Denial of service

Unauthorized

users

(crackers,

hackers)

OTHER INSIDERS

Consultants, contract labor,janitors

● Unauthorized access● Theft● Copying

HARDWARE THREATS

● Located in nonsecure environment

PCS

Terminals

● Fraudulent identification● Illegal leakage of authorized information● Viruses, worms, and other malware● Physical theft

Databases

● Unauthorized access● Copying● Theft

Systems software

● Failure of protection mechanisms● Information leakage● Installed unauthorized software

Internet

FirePower outagesOther accidents

Natural Disasters(Floods, storms)

Man-made Disasters

OUTSIDE THREATS

INSIDE THREATS



Human Errors Organizational employees span the breadth and depth of the organization, from mail clerks to the CEO, and across all functional areas. Th ere are two important points to be made about employees. First, the higher the level of employee, the greater the threat the employee poses to information security. Th is situation exists because higher-level employees typically have greater access to corporate data and enjoy greater privileges on organizational infor-mation systems. Second, employees in two areas of the organization pose signifi cant threats to information security: human resources and information systems. Human resources employees generally have access to sensitive personal information about all employees. Likewise, information systems employees not only have access to sensitive organizational data, but they also oft en control the means to create, store, transmit, and modify that data.

Other employees include contract labor, consultants, and janitors and guards. Contract labor, such as temporary hires, may be overlooked in information security. However, these employees oft en have access to the company’s network, information systems, and infor-mation assets. Consultants, while technically not employees, do work for the company. Depending on the nature of their work, these people may also have access to the company’s network, information systems, and information assets.

Janitors and guards are the most frequently ignored people in information security. Companies might outsource their security and janitorial services, meaning that, although these individuals technically are not employees, they nevertheless do work for the com-pany. Moreover, they are usually present when most—if not all—other employees have gone home. Th ey typically have keys to every offi ce, and nobody questions their presence in even the most sensitive parts of the building. In fact, an article from the Winter 1994 edition of 2600: Th e Hacker Quarterly described how to get a job as a janitor for the purpose of gaining physical access to an organization.

Human errors or mistakes by employees pose a large problem as the result of laziness, carelessness, or a lack of awareness concerning information security. Th is lack of aware-ness comes from poor education and training eff orts by the organization. Human mistakes manifest themselves in many diff erent ways, as you see in Table 7.1.

TABLE 7.1 Human Mistakes

Mistake Description and Examples

Carelessness with laptops Losing laptops, misplacing laptops, leaving them in taxis, and so on.

Carelessness with computing devices Losing or misplacing these devices, or using them carelessly so that malware is introduced into an organization’s network.

Opening questionable e-mails Opening e-mails from someone unknown, or clicking on links embedded in e-mails (see “Phishing Attacks” later in this chapter).

Careless Internet surfi ng Accessing questionable Web sites; can result in malware and/or alien soft ware being introduced into the organization’s network.

Poor password selection and use Choosing and using weak passwords (see “Strong Passwords” later in this chapter).

Carelessness with one’s offi ce Unlocked desks and fi ling cabinets when employees go home at night; not logging off the company network when gone from the offi ce for any extended period of time.

Carelessness using unmanaged devices Unmanaged devices are those outside the control of an organization’s IT department and company security procedures. Th ese devices include computers belonging to customers and business partners, computers in the business centers of hotels, and computers in Starbucks, Panera Bread, and so on.

Carelessness with discarded equipment Discarding old computer hardware and devices without completely wiping the memory; includes computers, cell phones, Blackberries, and digital copiers and printers.

Careless monitoring of environmental Th ese hazards, which include dirt, dust, humidity, and static electricity, are harmful to the hazards safe operation of computing equipment.


Unintentional Threats to Information Systems 243

Th e human errors that you have just studied are unintentional on the part of the employee. However, employees can also make unintentional mistakes as a result of actions by an attacker. Attackers oft en employ social engineering to induce individuals to make unintentional mistakes and disclose sensitive information.

Social Engineering In a social engineering attack, the perpetrator uses social skills to trick or manipu-late a legitimate employee into providing confi dential company information such as passwords. Th e most common example of social engineering occurs when the attacker impersonates someone else on the telephone, such as a company manager or information systems employee. Th e attacker claims to have forgotten the pass-word and asks the legitimate employee to provide a password to use. Other common exploits include posing as an exterminator, an air conditioning technician, or a fi re marshal. Examples of social engineering abound.

In one company, a perpetrator entered a company building wearing a com-pany ID card that looked legitimate. He walked around and put up signs on bulletin boards saying, “The help desk telephone number has been changed. The new number is 555-1234.” He then exited the building and began receiving calls from legitimate employees thinking they were calling the company help desk. Naturally, the first thing the perpetrator asked for was user name and password. He now had the information necessary to access the company’s information systems.

Two other social engineering techniques include tailgating and shoulder surf-ing. Tailgating is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, asks the person to “hold the door.” Shoulder surfi ng occurs when a perpetrator watches the employee’s computer screen over that person’s shoulder. Th is technique is par-ticularly successful in public areas such as airports and commuter trains and on airplanes.

Who is real and who is engaged in social engineering? Can you tell? (Source: Blend/Image Source Limited)

Piracy is theft. Would you steal a DVD? (Source: © Creasource/Corbis)



BEFORE YOU GO ON . . . 1. What is an unintentional threat to an information system? 2. Provide other examples of social engineering attacks.

RUBY’S CLUB Q U E S T I O N S

1. Provide an example of a social engineering attack on Ruby’s and how the club might counter the attack.

2. USB storage devices are small and can store huge amounts of information. What type of policy should Ruby’s implement to avoid information being stolen with such a device?


Objective: The objective of this exercise is to become familiar with some threats to information security that are often committed unintentionally.

Chapter Connection: This case relates to Chapter 7, Section 7.2, on unintentional threats to information systems. Information systems are vulnerable to many potential hazards and threats. The two major categories of threats are unintentional threats and deliberate threats. In this section we discuss unintentional threats.

Prerequisites: You should read Section 7.2 before doing this exercise to become familiar with security threats.

Activity: Go to the following Web address, read the background information in the article, and then watch the video clip.

http://blogs.techrepublic.com.com/itdojo/?p=1700&tag= content;col1 (Copiers)

Deliverables:Write a paragraph summarizing what happened and what was discussed in this video.

1. Ask some people who work in your school library or some people you know who work in industry

if they are aware if the copiers they use are periodically “cleaned” by the hard drives being deleted of any sensitive data.

2. Report on your fi ndings.


1. Based on the article and narrative, why are companies NOT cleaning the hard drives of their copiers?

(a) Not aware of risk(b) Too much effort (c) Not verifying data erased(d) All of the above

2. Who reported this happening?

(a) CNN(b) CBS (c) NBC(d) TNN

Discussion Questions:Discuss some of the uses you have made of copiers in school or at the library. Have you ever copied personal data? How would you feel if this were made available to the wrong people? What do you think should be done?


Deliberate Threats to Information Systems 245

7.3 Deliberate Threats to Information Systems Th ere are so many types of deliberate acts that a brief list is provided here for your convenience:

• Espionage or trespass • Information extortion • Sabotage or vandalism • Th eft of equipment or information • Identity theft • Compromises to intellectual property • Soft ware attacks • Alien soft ware • Supervisory control and data acquisition (SCADA) attacks • Cyberterrorism and cyberwarfare

Espionage or Trespass Espionage or trespass occurs when an unauthorized individual attempts to gain illegal access to organizational information. It is important to distinguish between competi-tive intelligence and industrial espionage. Competitive intelligence consists of legal information-gathering techniques, such as studying a company’s Web site and press releases, attending trade shows, and so on. In contrast, industrial espionage crosses the legal boundary.

Information Extortion Information extortion occurs when an attacker either threatens to steal, or actually steals, information from a company. Th e perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

Sabotage or Vandalism Sabotage and vandalism are deliberate acts that involve defacing an organization’s Web site, possibly causing the organization to lose its image and its customers to experience a loss of confi dence. One form of online vandalism is a hacktivist or cyberactivist operation. Th ese are cases of high-tech civil disobedience to protest the operations, policies, or actions of an organization or government agency.

Theft of Equipment and Information Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage (e.g., laptops, BlackBerrys, personal digital assistants, smart phones, digi-tal cameras, thumb drives, and iPads ). As a result, these devices are becoming easier to steal and easier for attackers to use to steal information.

Table 7.1 points out that one type of human mistake is carelessness with laptops. In fact, such carelessness oft en leads to laptops being stolen. Th e cost of a stolen laptop includes the loss of data, the loss of intellectual property, laptop replacement, legal and regulatory costs, investigation fees, and lost productivity.

One form of theft , known as dumpster diving, involves the practice of rummaging through commercial or residential trash to fi nd information that has been discarded. Paper fi les, letters, memos, photographs, IDs, passwords, credit cards, and other forms of infor-mation can be found in dumpsters. Unfortunately, many people never consider that the sensitive items they throw in the trash may be recovered. Such information, when recov-ered, can be used for fraudulent purposes.



Dumpster diving is not necessarily theft , because the legal-ity of this act varies. Because dumpsters are usually located on private premises, dumpster diving is illegal in some parts of the United States. Even in these cases, however, the relevant laws are enforced with varying degrees of rigor.

Identity Theft Identity theft is the deliberate assumption of another person’s identity, usually to gain access to his or her fi nancial information or to frame him or her for a crime. Techniques for obtaining information include:

• stealing mail or dumpster diving; • stealing personal information in computer databases; • infi ltrating organizations that store large amounts of

personal information (e.g., data aggregators such as Acxiom , www.ac x iom.com); and

• impersonating a trusted organization in an electronic communication ( phishing ).

Recovering from identity theft is costly, time consuming, and diffi cult. Victims also report problems in obtaining credit and obtaining or holding a job, as well as adverse eff ects on insurance or credit rates. In addition, victims state that it is oft en diffi cult to remove negative information from their records, such as their credit reports.

Anyone’s personal information can be compromised in other ways. For example, an identity can be uncovered just from examining searches in a search engine. Th e ability to ana-lyze all searches by a single user can enable a criminal to iden-tify who the user is and what he or she is doing. As just one example, the New York Times tracked down a particular person based solely on her AOL searches.

Compromises to Intellectual Property Protecting intellectual property is a vital issue for people who make their livelihood in knowledge fi elds. Intellectual property is the property created by individuals or corpora-tions that is protected under trade secret , patent , and copyright laws.

A trade secret is an intellectual work, such as a business plan, that is a company secret and is not based on public information. An example is a corporate strategic plan. A patent is a document that grants the holder exclusive rights on an invention or process for 20 years. Copyright is a statutory grant that provides the creators of intellectual property with ownership of the property for the life of the creator plus 70 years. Owners are entitled to collect fees from anyone who wants to copy the property. It is important to note that these are defi nitions under U.S. law. Th ere is some international standardization, but it is far from total. Th erefore, diff er-ences may be found between U.S. law and other countries’ laws.

Th e most common intellectual property related to IT deals with soft ware. Th e U.S. Federal Computer Soft ware Copyright Act (1980) provides protection for source and object code of computer soft ware, but the law does not clearly identify what is eligible for protection. For example, copyright law does not protect similar concepts, functions, and general features such as pull-down menus, colors, and icons. However, copying a soft ware program without making payment to the owner—including giving a disc to a friend to install on his or her computer—is a copyright violation. Not surprisingly, this practice, called piracy , is a major problem for soft ware vendors. Th e global trade in pirated soft ware amounts to billions of dollars.

Software attacks are frustrating, can be embarrassing, and often stop productivity. (Source: FSTOP/Image Source Limited)



Software Attacks Soft ware attacks have evolved from the outbreak era—during which malicious soft ware ( malware ) tried to infect as many computers worldwide as possible—to the profi t-driven, Web-based attacks of today. Cybercriminals are heavily involved with malware attacks to make money, and they use sophisticated, blended attacks typically via the Web. Table 7.2 shows a variety of soft ware attacks. You will see that soft ware attacks are grouped into three categories: remote attacks needing user action; remote attacks needing no user action; and soft ware attacks by programmers during the development of a system. “ IT’s About Business 7.1” provides an example of a soft ware attack.

TABLE 7.2 Types of Software Attacks

Type Description

(1) Remote Attacks Needing User Action

Virus Segment of computer code that performs malicious actions by attaching to another computer program.

Worm Segment of computer code that performs malicious actions and will replicate and will replicate, or spread, by itself (without requiring another computer program).

Phishing Attack Phishing attacks use deception to acquire sensitive personal information by masquerading as offi cial-looking e-mails or instant messages.

Spear Phishing Attack Phishing attacks target large groups of people. In spear phishing attacks, the perpetrators fi nd out as much information about an individual as possible to improve their chances that phishing techniques will be able to obtain sensitive, personal information.

(2) Remote Attacks Needing No User Action

Denial-of-Service Attack Attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function).

Distributed Denial-of- An attacker fi rst takes over many computers, typically by Service Attack using malicious soft ware. Th ese computers are called

zombies, or bots. Th e attacker uses these bots (which form a botnet) to deliver a coordinated stream of information requests to a target computer, causing it to crash.

(3) Attacks by Programmer Developing a System

Trojan Horse Soft ware programs that hide in other computer programs and reveal their designed behavior only when they are activated.

Back Door Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door).

Logic Bomb Segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time or date.



Virus Attack Hits the University of Exeter

A massive virus attack impacted the University of Exeter (www.exeter.ac.uk), located in southwestern England. The university has 16,000 students on three campuses, two in Exeter and one in Cornwall. The virus attack, which exploited computers running Microsoft Windows Vista Service Pack 2, caused the university to temporarily take its entire network offl ine. University offi cials stated that this measure was necessary in order to scan and repair all university computers. The university also scanned nonuniversity-owned Vista personal computers, which were used by students who had connected to the university’s network. In addition, the Cornwall campus was isolated from the main campuses in Exeter to avoid spreading the virus.

The virus caused problems for university faculty. The interactive teaching boards in all classrooms were inoperable, meaning that professors could not use PowerPoint presentations or access the Internet in class. Also, the university’s voice-over-Internet Protocol (VoIP) telephone system was inoperable.

One of the biggest issues for the university’s students is that they had no access to the virtual learning environment (VLE). This lack of access presented a large problem for students who had assignments or papers due, and could not obtain access to online versions stored in the VLE. Further, students could not access any data stored in the VLE.

The university faculty did promise to make allowances for students and arranged short-term extensions to deadlines. Interestingly, computers in student residence halls were the last to be added back to the operational university network.

It took three days to clean infected computers and bring the network back into operation. In early 2011, no one knows for certain how the virus entered the university network or who the perpetrators were. However, an internal university e-mail suggested that someone had not applied appropriate patches for the security software in a timely fashion, leading to the massive attack.

Questions

1. What other actions could the university have taken to prevent the attack?

2. What actions should the university now perform to prevent future attacks?

Sources: Compiled from “University of Exeter Shuts Down Its Network Because of the Attack of a Virus,” www.2-viruses, January 21, 2010; L. Constatin, “Mystery Computer Virus Hits UK University,” www.softpedia.com, January 21, 2010; J. Leyden, ”Exeter Uni Goes Offl ine to Fight Mystery Malware,” The Register, January 21, 2010; Z. Whittaker, “Virus Attack Hits Vista Machines, Cripples University Network,” ZDNet.com, January 20, 2010; “University of Exeter Malware Outbreak,” www.ja.net, January 20, 2010; www.exeter.ac.uk, accessed February 9, 2011.

ABOUT BUSINESS 7.1IT’s

Alien Software Many personal computers have alien soft ware (also called pestware ) running on them that the owners do not know about. Alien software is clandestine soft ware that is installed on a computer through duplicitous methods. Alien soft ware is typically not as malicious as viruses, worms, or Trojan horses, but it does use up valuable system resources. In addition, it can report on your Web surfi ng habits and other personal behavior.

Th e vast majority of pestware is adware —soft ware that is designed to help pop-up advertisements appear on your screen. Adware is so common because it works. According to advertising agencies, for every 100 people who delete such an ad, three click on it. Th is “hit rate” is extremely high for Internet advertising.

Spyware is soft ware that collects personal information about users without their con-sent. Two types of spyware are addressed here: keystroke loggers and screen scrapers.



Keystroke loggers (also called keyloggers ) record keystrokes and record Internet Web browsing history. Th e purposes range from criminal (e.g., theft of passwords and sensitive personal information such as credit card numbers) to annoying (e.g., recording Internet search history for targeted advertising).

Companies have attempted to counter key loggers by switching to other forms of input for authentication. For example, all of us have been forced to look at wavy, distorted letters and type them correctly into a box. Th at string of letters is called a CAPTCHA, and it is a test. Th e point of CAPTCHA is that reading those distorted letters is something that com-puters cannot do accurately (yet). Th e fact that you can transcribe them means that you are probably not a soft ware program run by an unauthorized person, such as a spammer. As a result, attackers have turned to screen scrapers (or screen grabbers ), soft ware that records a continuous “movie” of a screen’s contents rather than simply recording keystrokes.

Spamware is pestware that is designed to use your computer as a launch pad for spam-mers. Spam is unsolicited e-mail, usually for the purpose of advertising for products and services. When your computer is used this way, e-mails from spammers appear to come from you. Even worse, spam will be sent to everyone in your e-mail address book.

Not only is spam a nuisance, but it wastes time and money. Spam costs U.S. companies billions of dollars per year. Th ese costs come from productivity losses, clogged e-mail sys-tems, additional storage, user support, and antispam soft ware. Spam can also carry viruses and worms, making it even more dangerous.

Cookies are small amounts of information that Web sites store on your computer, tem-porarily or more-or-less permanently. In many cases, cookies are useful and innocuous. For example, some cookies store passwords and user IDs that you do not have to retype every time you load a new page at the Web site that issued the cookie. Cookies are also necessary if you want to shop online, because they are used for your shopping carts at various online merchants.

Tracking cookies, however, can be used to track your path through a Web site, the time you spend there, what links you click on, and other details that the company wants to record, usually for marketing purposes. Tracking cookies can also combine this information with your name, purchases, credit card information, and other personal data, to develop an intru-sive profi le of your spending habits.

Most cookies can be read only by the party that created them. However, some com-panies that manage online banner advertising are, in essence, cookie-sharing rings. Th ese companies can track information such as which pages you load and which ads you click on. Th ey then share this information with their client Web sites (which may number in the thousands). For a cookie demonstration, see http://pri v acy.net/track.

Supervisory Control and Data Acquisition (SCADA) Attacks SCADA refers to a large-scale, distributed, measurement and control system. SCADA systems are used to monitor or to control chemical, physical, or transport processes such as oil refi neries, water and sewage treatment plants, electrical generators, and nuclear power plants. Essentially, SCADA systems provide the link between the physical world and the electronic world.

SCADA systems consist of multiple sensors, a master computer, and communications infrastructure. Th e sensors connect to physical equipment and read status data such as the open/closed status of a switch or a valve, as well as measurements such as pressure, fl ow, voltage, and current. By sending signals to equipment, sensors control that equipment, such as opening or closing a switch or valve or setting the speed of a pump.

Th e sensors are connected in a network, and each sensor typically has an Internet (Internet Protocol, or IP) address. (You studied about IP addresses in Chapter 4.) If an attacker can gain access to the network, he or she can disrupt the power grid over a large area or disrupt the operations of a large chemical plant. Such actions could have catastrophic results, as you can see in “ IT’s About Business 7.2.”

Cyberterrorism and Cyberwarfare With both cyberterrorism and cyberwarfare , attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, usually



to carry out a political agenda. Cyberterrorism and cyberwarfare range from gathering data to attacking critical infrastructure (via SCADA systems). Th e two types of attacks are discussed synonymously here, even though cyberterrorism typically is carried out by indi-viduals or groups, whereas cyberwarfare involves nations. Following are examples of cyber-attacks against Estonia and the Republic of Georgia.

The Stuxnet Worm

Stuxnet is the name of a worm, discovered in July 2010, that targets SCADA systems. In particular, Stuxnet targets only Siemens SCADA systems that are confi gured to control and monitor specifi c industrial processes. In fact, security experts around the world suspect that the worm’s target was the uranium enrichment industrial infrastructure in Iran. On November 29, 2010, Iran confi rmed that its nuclear program had been damaged by Stuxnet. Thus, the worm may have damaged Iran’s nuclear facilities in Natanz, and eventually delayed the startup of Iran’s Bushehr nuclear power plant.

Construction of the Stuxnet worm required an in-depth knowledge of nuclear industrial processes. The worm fakes industrial process control sensor signals so that an infected system does not shut down due to abnormal behavior. The worm appears to impair Iran’s computer-controlled uranium centrifuges, which mysteriously lost 30 percent of their production capacity, thereby delaying any plans to produce a nuclear weapon. The worm adjusts the user interface for the centrifuge control systems to make it appear that the centrifuges are operating normally. Stuxnet changes the speed of the motors that spin the centrifuges from very high to very low, and back again. This process stops the uranium from being enriched and damages the motors.

Security experts from Symantec (www.symantec.com), a leading vendor of information security systems, think that the group that developed Stuxnet was well funded, consisted of fi ve to ten people, and took six months to create the worm. The New York Times reported that experts studying Stuxnet feel that the complexity of the worm indicates that only a nation-state would have the capabilities to produce it.

In response to the infection, Iran assembled a team to combat the worm, which spread rapidly in that

country, affecting more than 30,000 IP addresses there. This problem has been compounded by the ability of Stuxnet to mutate, meaning that new versions of the worm continue to spread. In addition, no one knows who created the worm and no one has taken credit for creating it. A security expert noted that it was impossible to defi nitively state where Stuxnet originated.

Stuxnet heralds a frightening new era in cyberwarfare. China, Russia, the United States, and other nations have been quietly engaging in cyberwarfare for several years, but this worm represents a major technological escalation. One security expert noted that worms such as Stuxnet are what nation-states build if their only other option is to go to war.

Questions

1. Describe the implications of the precisely targeted nature of the Stuxnet attack.

2. What does the statement mean that “nations use malware such as the Stuxnet worm when their only alternative is to go to war.”

Sources: Compiled from M. Schwartz, “Stuxnet Iran Attack Launched from 10 Machines,” InformationWeek, February 14, 2011; G. Keizer, “Stuxnet Struck Five Targets in Iran, Say Researcher,” Computerworld, February 11, 2011; M. Schwartz, “Symantec Finds Stuxnet Targets Iranian Nuclear Enrichment,” InformationWeek, November 16, 2010; “Stuxnet: Declaring Cyberwarfare on Iran,” The Week, October 8, 2010; E. Messmer, “Is Stuxnet an Israeli-Invented Attack Against Iran?” NetworkWorld, September 30, 2010; T. Claburn, “Iran Denies Stuxnet Worm Hurt Nuclear Plant,” InformationWeek, September 27, 2010; D. Goodin, “SCADA Worm a Nation-State Search-and-Destroy Weapon,” The Register, September 22, 2010; M. Clayton, “Stuxnet Malware: Is ‘Weapon’ Out to Destroy . . . Iran’s Bushehr Nuclear Plant?” Christian Science Monitor, September 21, 2010; J. Kirk, “Eset Discovers Second Variation of Stuxnet Worm,” NetworkWorld, July 20, 2010; www.symantec.com, accessed February 16, 2011.




EXAMPLE In 2007, a three-week wave of massive distributed denial-of-service ( DDoS ) cyberattacks against the Baltic country of Estonia disabled the Web sites of government ministries, political parties, newspapers, banks, and companies. One of the most wired societies in Europe, Estonia is a pioneer of e-government. As a result, the country is highly vulnerable to cyberattack . In the early phase of the DDoS attack, some perpetrators were identifi ed by their IP addresses. Many of these addresses were Russian, and some of them were from Russian state institutions. In August 2008, Russian troops entered the Republic of Georgia’s province of South Ossetia to crush a Georgian attempt to control a breakaway by that region. DDoS attacks on Georgian Web sites were apparently synchronized with the Russian invasion. The cyberattack shut down the Web site of the Georgian president, Mikheil Saakashvilli , for 24 hours and defaced the Georgian parliament Web site with images of Adolf Hitler. Saakashvilli blamed Russia for the attacks, but the Russian government denied the charges. Terrorist groups around the world have expanded their activities on the Internet, increasing the sophistication and volume of their videos and messages, in an effort to recruit new members and raise money. In response, the U.S. military is expanding its offensive capabilities to attack terrorists’ Web sites, rather than just monitor them.

BEFORE YOU GO ON . . . 1. Why has the theft of computing devices become more serious over

time? 2. What are the three types of software attacks? 3. Defi ne alien software. 4. What is a SCADA system?


1. You saw four examples of methods used to steal identities. Which of these are most important for Ruby’s to consider? For each method that you choose, discuss how Ruby’s can protect its customers and employees from identity theft.

2. Because Ruby’s is redesigning the physical layout of the club, where should it house its “back offi ce” operations to help deter theft of equipment and/or information?


Objective: The objective of this exercise is to become familiar with information security and deliberate threats that could result in identity theft or otherwise compromise information.

Chapter Connection: This case relates to Chapter 7, Section 7.3 and the importance of protecting information from deliberate threats.



Prerequisites: Read Section 7.3 before doing this exercise to become familiar with types of threats.

Activity: Many types of deliberate acts can threaten the privacy of personal information, such as espionage, information extortion, sabotage or vandalism, theft of equipment or information, identity theft, software attacks, cyberterrorism, and cyberwarfare.

Watch the video at the following link:

http://deliveringtrust.com by clicking the arrow in the middle of the screen.Then click on “Learn” and click the icons at the right to learn about various types of threats.

Deliverables:Answer the following:

1. What is Internet fraud?

2. What is identity theft?

3. What is telemarketing fraud?

4. What is cross-border fraud?


1. Phishing is what happens when:

(a) Someone sends you unwanted e-mails attempting to sell products or services.

(b) Someone illegally blocks your access to a Web site.

(c) Someone pretends to be a trustworthy source to steal your personal information.

2. If a stranger tries to “friend” you on a social media Web site such as MySpace or Facebook, you should:

(a) Introduce yourself.(b) Ask the person to contact you at your e-mail

address. (c) Ignore the person.

3. The “London Scam” is what happens when:

(a) Someone promises to send you a large sum of money if you provide your bank account number.

(b) Someone pretends to be stranded outside the United States and asks for your help.

(c) A domestic Web site registers under a false foreign domain.

4. If you get a message from a friend on MySpace or Facebook that is blank except for a Web link, what should you do?

(a) Ignore it. It may be a “phishing” scam.(b) Click on the link, but do not provide any

information to the linked site. (c) Reply and ask the friend if he or she really sent

the link.

5. You should change your online password:

(a) Every day.(b) Frequently. (c) Once a year.

Discussion Question:Discuss the various types of deliberate threats that can happen. Has anyone been a victim of any of these?

7.4 What Companies Are Doing to Protect Information Resources Why is it so diffi cult to stop cybercriminals ? Table 7.3 lists the major diffi culties involved in protecting information. Because organizing an appropriate defense system is so important to the entire enterprise, it is one of the major responsibilities of any prudent CIO as well as the functional managers who control information resources. In fact, IT security is the busi-ness of everyone in an organization.

Another reason why it is diffi cult to protect information resources is that the online commerce industry is not particularly willing to install safeguards that would make it harder to complete transactions. It would be possible, for example, to demand passwords or per-sonal identifi cation numbers for all credit card transactions. However, these requirements might discourage people from shopping online. Also, there is little incentive for companies like AOL to share leads on criminal activity either with one another or with the FBI. For credit card companies, it is cheaper to block a stolen credit card and move on than to invest time and money on a prosecution.

Despite these diffi culties, the information security industry is battling back. Companies are developing soft ware and services that deliver early warnings of trouble on the Internet.


What Companies Are Doing to Protect Information Resources 253

TABLE 7.3 The Diffi culties in Protecting Information Resources

Hundreds of potential threats exist.

Computing resources may be situated in many locations.

Many individuals control information assets.

Computer networks can be located outside the organization and are thus diffi cult to protect.

Rapid technological changes make some controls obsolete as soon as they are installed.

Many computer crimes are undetected for a long period of time, so it is diffi cult to learn from experience.

People tend to violate security procedures because the procedures are inconvenient.

Th e amount of computer knowledge necessary to commit computer crimes is usually minimal. As a matter of fact, one can learn hacking, for free, on the Internet.

Th e cost of preventing hazards can be very high. Th erefore, most organizations simply cannot aff ord to protect against all possible hazards.

It is diffi cult to conduct a cost-benefi t justifi cation for controls before an attack occurs because it is diffi cult to assess the value of a hypothetical attack.

Unlike traditional antivirus soft ware, which is reactive, early-warning systems are proactive, scanning the Web for new viruses and alerting companies to dangers.

Organizations spend a great deal of time and money protecting their information resources. Before doing so, they perform risk management.

Risk is the probability that a threat will impact an information resource. Th e goal of risk management is to identify, control, and minimize the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels. Risk management encompasses three processes: risk analysis, risk mitigation, and controls evaluation.

Risk analysis is the process by which an organization assesses the value of each asset being protected, estimates the probability that each asset will be compromised, and com-pares the probable costs of the asset’s being compromised with the costs of protecting that asset. Organizations perform risk analysis to ensure that their information systems’ security programs are cost eff ective. Th e risk analysis process prioritizes the assets to be protected based on each asset’s value, its probability of being compromised, and the estimated cost of its protection. Th e organization then considers how to mitigate the risk.

In risk mitigation , the organization takes concrete actions against risks. Risk mitiga-tion has two functions: (1) implementing controls to prevent identifi ed threats from occur-ring and (2) developing a means of recovery should the threat become a reality. Several risk mitigation strategies may be adopted by organizations. Th e three most common are risk acceptance, risk limitation, and risk transference.

• Risk acceptance: Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

• Risk limitation: Limit the risk by implementing controls that minimize the impact of the threat.

• Risk transference: Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.

In controls evaluation, the organization examines the costs of implementing adequate control measures against the value of those control measures. If the costs of implementing a control are greater than the value of the asset being protected, then control is not cost eff ec-tive. In the next section, you will study the various controls that organizations use to protect their information resources.



BEFORE YOU GO ON . . . 1. Describe several reasons why it is diffi cult to protect information

resources. 2. Compare and contrast risk management and risk analysis.


1. Risk analysis is crucial for Ruby’s. Is the database crucial to Ruben and Lisa’s business plan? Perform a risk analysis of their database. Which risk mitigation strategy should Ruby’s use? Support your answer.

2. Ruben and Lisa also want to know how they can test their security against intentional and unintentional threats.


Objective: The objective of this exercise is to become familiar with the Fair Information Practices Principles and relate them to business procedures to protect personal data.

Chapter Connection: This case relates to Chapter 7, Section 7.4 on protecting information resources. It is the responsibility of the organization to protect the information resources it needs to successfully conduct business. The organization should also inform the customer what information is collected and how it is being used. These both relate to the Fair Information Practices.

Prerequisites: You should read Section 7.4 before doing this exercise to become familiar with data privacy issues and procedures recommended to secure the data.

Activity: The heart of information systems is the data used in processing transactions and making business decisions. However, often this data is private information about individuals and companies. It is important that this data and information be used wisely and protected. The Federal Trade Commission (FTC) has established a set of Fair Information Practices Principles as guidelines for government agencies’ collection and use of personal information. These same guidelines also should be a basis for business use of data.

Review the Fair Information Practices Principles for protecting America’s consumers at ftc.gov/reports/privacy3/fairinfo.shtm.

Deliverables:Open a Word document and summarize in your own words the key points for the following fi ve guidelines. Check with you instructor on how to submit your answers.

1. Notice/Awareness

2. Choice/Consent

3. Access/Participation

4. Integrity/Security

5. Enforcement/Redress

Watch the Pizza Ordering Video at www.youtube.com/watch?v=RNJl9EEcsoE with the Fair Information Practices Principles in mind. Based on the video and the FTC guidelines, answer the following questions.


1. Making data available to the consumer so they can verify its correctness is an example of:

(a) Notice/Awareness(b) Choice/Consent (c) Access/Participation(d) Integrity/Security


Information Security Controls 255

2. Giving consumers the right to opt-in or opt-out of how their information is used is an example of:


3. Informing the consumer what data is being collected and how it will be used is an example of:


4. Having the data collector protect the information from unauthorized use or disclosure is an example of:


5. Which of these mechanisms is/are in place to enforce fair information practices?

(a) Self-regulation(b) Private remedies (c) Government enforcement(d) All of the above.

Discussion Questions:1. How would following the Fair Information Practices

Principles prevent some of what you viewed in the pizza video from happening? Identify ways in which the fi ve core principles are not followed.

2. Have you or a family member ever experienced identity theft? If so, did the company that had the information breech provide some future protection to those whose data was compromised?

3. What can you do to protect yourself from identity theft?

7.5 Information Security Controls To protect their information assets, organizations implement controls , or defense mecha-nisms (also called countermeasures ). Information security controls are designed to protect all of the components of an information system, including data, soft ware, hardware, and networks. Because there are so many diverse threats, organizations utilize layers of controls, or defense-in-depth.

Controls are intended to prevent accidental hazards, deter intentional acts, detect prob-lems as early as possible, enhance damage recovery, and correct problems. Before you study controls in more detail, it is important to emphasize that the single most eff ective control is user education and training, leading to increased awareness of the vital importance of information security on the part of every organizational employee.

Th e three major types of controls are physical controls, access controls, and commu-nications controls. Figure 7.2 illustrates these controls. In addition to applying controls, organizations plan for business continuity in case of a disaster and audit their information resources.

Physical Controls Physical controls prevent unauthorized individuals from gaining access to a company’s facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm systems. More sophisticated physical controls include pressure sensors, temperature sensors, and motion detectors. One weakness of physical controls is that they can be inconvenient to employees.

Guards deserve special mention because they have very diffi cult jobs for at least two reasons. First, their jobs are boring and repetitive and generally do not pay well. Second, if they do their jobs thoroughly, other employees harass them, particularly if their being con-scientious slows up the process of entering a facility.

Organizations also put other physical security considerations in place. Such controls limit users to acceptable login times and locations. Th ese controls also limit the number of unsuccessful login attempts, and they require all employees to log off their computers when



Figure 7.2 Where defense mechanisms are located. (Sources: © Sergey Titov/iStockphoto; fatihhoca/iStockphoto)

CORPORATE LAN (INTRANET)

Compa

ny’s

gate

Buildin

g doo

r

Humanguard

Employee orattacker in

office

ID SystemEncryptionAccess password

AuthenticationAccess passwordPersonal ID

Firewall

Denial-of-service protectionIntrusion detection systemAnti-malware software

Employeeor

attacker

ID system(card or

biometric)

PC

Smartphone

iPad

Remoteemployeeor attacker

Internet

PHYSICAL CONTROLS

ACCESS CONTROLS

ACCESSCONTROLS

COMMUNICATIONSCONTROLS

they leave for the day. In addition, computers are set to automatically log off the user aft er a certain period of disuse.

Access Controls Access controls restrict unauthorized individuals from using information resources. Th ese controls involve two major functions: authentication and authorization. Authentication determines the identity of the person requiring access. Aft er the person is authenticated (identifi ed), authorization is applied. Authorization determines which actions, rights, or privileges the person has, based on verifi ed identity. Authentication. To authenticate (identify) authorized personnel, an organization can use one or more of the following methods: something the user is, something the user has, something the user does, and/or something the user knows.

Something the user is (also known as biometrics ), is an authentication method that examines a person’s innate physical characteristics. Common biometric applications are fi ngerprint scans, palm scans, retina scans, iris recognition, and facial recognition. Of these, fi ngerprints, retina scans, and iris recognition provide the most defi nitive identifi cation.

Something the user has is an authentication mechanism that includes regular identifi ca-tion (ID) cards, smart ID cards, and tokens. Regular ID cards, or dumb cards, typically have the person’s picture, and oft en his or her signature. Smart ID cards have a chip embedded in them with pertinent information about the user. (Smart ID cards used for identifi cation diff er from smart cards used in electronic commerce (see Chapter 9). Both types of card have embedded chips, but they are used for diff erent purposes). Tokens have embedded chips and a digital display that presents a login number that the employees use to access the organization’s network. Th e number changes with each login.



Something the user does is an authentication mechanism that includes voice and signa-ture recognition. In voice recognition , the user speaks a phrase (e.g., his or her name and department) that has been previously recorded under controlled, monitored conditions. Th e voice recognition system matches the two voice signals. In signature recognition , the user signs his or her name, and the system matches this signature with one previously recorded under controlled, monitored conditions. Signature recognition systems also match the speed of the signature and the pressure of the signature.

Something the user knows is an authentication mechanism that includes passwords and passphrases . Passwords present a huge information security problem in all organizations. All users should use strong passwords so that the password cannot easily be discovered. Strong passwords have the following characteristics:

• Th ey should be diffi cult to guess. • Th ey should be longer rather than shorter. • Th ey should contain uppercase letters, lowercase letters, numbers, and special characters. • Th ey should not be a recognizable word. • Th ey should not be the name of anything or anyone familiar, such as family names or

names of pets. • Th ey should not be a recognizable string of numbers, such as a Social Security number

or birthday.

Unfortunately, strong passwords are irritating. If the organization mandates longer (stronger) passwords and/or frequent password changes, they become more diffi cult to remember, causing employees to write them down. What is needed is a way for a user to create a strong password that is easy to remember. A passphrase can help, either by being a password itself, or by helping you create a strong password.

A passphrase is a series of characters that is longer than a password but can be memo-rized easily. Examples of passphrases are “ maytheforcebewithyoualways ,” “ goaheadmake-myday ,” “ livelongandprosper ,” and “ aman’sgottoknowhislimitations .” A user can turn a pass-phrase into a strong password in this manner. Start with the last passphrase above, and use the fi rst letter of each word. You will have amgtkhl . Th en capitalize every other letter, to have AmGtKhL . Th en add special characters and numbers, to have 9AmGtKhL//*. Now you have a strong password that you can remember.

Many organizations are using multifactor authentication (more than one type of authentication) to more effi ciently and eff ectively identify authorized users. Th is type of authentication is particularly important when users are logging in from remote locations.

Single-factor authentication, which is notoriously weak, commonly consists simply of a password. Two-factor authentication consists of a password plus one type of biometric identifi cation (e.g., a fi ngerprint). Th ree-factor authentication is any combination of three authentication methods. You should keep in mind that stronger authentication is more expensive and can be irritating to users as well. Authorization. Once users have been properly authenticated, then the rights and privi-leges that they have on the organization’s systems are established, a process called authoriza-tion . Companies use the principle of least privilege for authorization purposes. A privilege is a collection of related computer system operations that can be performed by users of the system. Least privilege is a principle that users be granted the privilege for some activ-ity only if there is a justifi able need to grant this authorization. As you see in “ IT’s About Business 7.3,” granting the rights and privileges that users have on an organization’s infor-mation systems can be complicated.

Communications Controls Communications (network) controls secure the movement of data across networks. Com-munications controls consist of fi rewalls, anti- malware systems, whitelisting and blacklist-ing, encryption, virtual private networking (VPN), secure socket layer (SSL), and employee monitoring systems.



Information Security at City National Bank & Trust

City National Bank & Trust (www.cnbok.com) has 32 branches throughout Oklahoma and is continuing to expand the scope of its operations. Many of the bank’s new branches are located in Walmart Supercenters. In addition to its new branches, the bank implemented CityNET, its online banking service. CityNET is designed to make banking easy for its customers wherever they are. The bank also implemented services for improved customer convenience, including banking by phone and access to its statewide ATM system. During this expansion, the bank doubled the number of employees and quadrupled the size of its network.

The bank’s rapid growth in branches and customer service offerings, coupled with the global increase in malicious software, put the bank’s networks and employees at much greater risk. The security risks increased as growing numbers of employees needed access to the Web.

Before its expansion, the bank had appropriate controls in place to prevent employees from installing software. In addition, the bank strictly controlled the number of users with access to the Web. The bank could run reports to see what Web sites those employees were visiting and whether or not malware had been downloaded inadvertently. However, the IT group could only prevent such malware intrusions with antivirus software on desktops, not at the gateway to the bank’s network.

The IT group was also spending too much time constantly making small security policy changes. These changes included accepting a sender as friendly and blocking or adding a specifi c Web site. In short, the bank needed an enterprise security solution, not its current piecemeal security system.

The bank selected M86 Security (www.m86security.com) for its strong content fi ltering capabilities and its capability to dynamically set and change security policies. In weeks, the security system was protecting the bank from e-mail and Web-based malware and offensive content.

The bank quickly applied policy-based standards throughout its network. For example, it set a policy

to block e-mail messages with attached batch, executable, and .zip fi les. Another policy stopped employees from downloading potentially dangerous fi les and blocked access to offensive Web sites. With this level of control, the IT group can apply basic security policies to all employees and feel secure that employees cannot accidentally download malware.

The M86 Security system also helps the bank comply with the Sarbanes-Oxley Act. For example, the IT group can sample information to make sure that customers’ confi dential information, such as credit card numbers, is not leaving the company unencrypted.

The bank occasionally receives malware threats for which there are no antivirus digital signatures. In these cases, the threat is scanned and sent to the M86 Security content system. This system subjects the threat to the bank’s security policies. Threats that do not clear all policies are automatically quarantined.

The company’s e-mail policies are also stringent. For an employee to have external e-mail access, it must have a business justifi cation. This policy leaves 60 percent of the bank’s employees with only internal e-mail access, which presents a problem for those who need to obtain information and electronic statements about their retirement funds and 401(k) accounts via e-mail under the bank’s benefi ts plan.

The IT group can now provide this access to individuals without extending full external e-mail rights. This is an example of how the M86 Security system can help the bank create situation-by-situation policies without compromising the bank’s security standards.

The M86 Security system also provides excellent dynamic Web site categorization. If an employee accesses a Web site that has not already been classifi ed as pornographic, the security system scans all the content on the Web site and looks for characteristics that would indicate that the site is pornographic. If the site has those characteristics, access to it is blocked immediately, and the site is blacklisted.

Since installing the M86 Security system, the bank has gone from receiving a few thousand e-mail messages per day to fi ve million messages per month. Because the system is enterprisewide and centralized,




the bank can easily extend Web and internal and external e-mail protection to its new branches. Further, the bank can implement security policies that protect its entire organization from one centralized management console.

Questions

1. Why is it so important for organizations to establish enterprisewide security policies?

2. Are the bank’s e-mail policies too stringent? Why or why not? Support your answer.

Sources: Compiled from T. Austin, “How Banks Are Fighting Fraud,” Bank Info Security, February 1, 2011; M. Meason, “Bank Protects More Than Money,” Baseline Magazine, May 19, 2009; “Information Security Policies Are Your First Line of Defense,” BankersOnline.com, April 20, 2009; T. Claburn, “Most Bank Sites Are Insecure,” InformationWeek, July 23, 2008; www.cnbok.com, accessed February 6, 2011; www.m86security.com, accessed February 9, 2011.

Firewalls. A firewall is a system that prevents a specifi c type of information from mov-ing between untrusted networks, such as the Internet, and private networks, such as your company’s network. Put simply, fi rewalls prevent unauthorized Internet users from access-ing private networks. All messages entering or leaving your company’s network pass through a fi rewall. Th e fi rewall examines each message and blocks those that do not meet specifi ed security rules. Firewalls fi lter network traffi c according to categories of activities likely to cause problems, whereas anti- malware systems fi lter traffi c according to a database of specifi c problems.

Firewalls range from simple, for home use, to very complex for organizational use. Figure 7.3a shows a basic fi rewall for a home computer. In this case, the fi rewall is imple-mented as soft ware on the home computer. Figure 7.3b shows an organization that has implemented an external fi rewall, which faces the Internet, and an internal fi rewall, which faces the company network. Corporate fi rewalls typically consist of soft ware running on a computer dedicated to the task. A demilitarized zone (DMZ) is located between the two fi rewalls. Messages from the Internet must fi rst pass through the external fi rewall. If they conform to the defi ned security rules, then they are sent to company servers located in the DMZ. Th ese servers typically handle Web page requests and e-mail. Any messages desig-nated for the company’s internal network (e.g., its intranet) must pass through the internal fi rewall, again with its own defi ned security rules, to gain access to the company’s private network.

Internet

Internet

INTRANET

CORPORATE LAN

Broadband connection

DSL, cable modem, 3G, 4G

ExternalFirewall

InternalFirewall

Servers

Demilitarizedzone

Home Computer

Softwarefirewall

(a)

(b)

InternetServiceProvider

Figure 7.3 (a) Basic fi rewall for home computer. (b) Organization with two fi rewalls and demilitarized zone. (Source: © Dmitry Rukhlenko-Fotolia.com)



Th e danger from viruses and worms is so severe that many organizations are placing fi rewalls at strategic points inside their private networks. In this way, if a virus or worm does get through both the external and internal fi rewalls, then the internal damage may be contained.

Anti- malware Systems. Anti- malware systems (antivirus software) , also called AV, are soft ware packages that attempt to identify and eliminate viruses, worms, and other malicious soft ware. Th is soft ware is implemented at the organizational level by the infor-mation systems department. Hundreds of AV soft ware packages are currently available. Among the best known are Norton Antivirus (www.symantec.com), McAfee Virusscan (www.mcafee.com), and Trend Micro PC- cillin (www.trendmicro.com).

Anti- malware systems are generally reactive. Th ey work by creating defi nitions, or signatures, of various types of malware , and then updating these signatures in their products. Th e anti- malware soft ware then examines suspicious computer code to see if it matches a known signature. If it does, then the anti- malware soft ware will remove it. Th is is the reason why organizations update their malware defi nitions so oft en. (See Chapter Closing Case 2.)

Because malware is such a serious problem, the leading vendors are rapidly developing anti- malware systems that function proactively as well as reactively. Th ese systems evaluate behavior rather than relying on signature matching. In theory, therefore, it is possible to catch malware before it can infect systems.

Whitelisting and Blacklisting. A report by the Yankee Group (www.yankeeg r oup.com), a technology research and consulting fi rm, stated that 99 percent of organizations had anti- malware systems installed, but 62 percent of companies still suff ered successful malware attacks. As you have noted, anti- malware systems are usually reactive, and mal-ware continues to infect companies.

One solution to this problem is whitelisting . Whitelisting is a process in which a com-pany identifi es the soft ware that it will allow to run and does not try to recognize malware . Whitelisting permits acceptable soft ware to run and either prevents anything else from run-ning or lets new soft ware run in a quarantined environment until the company can verify its validity.

Whereas whitelisting allows nothing to run unless it is on the whitelist , blacklisting allows everything to run unless it is on the blacklist. A blacklist, then, includes certain types of soft ware that are not allowed to run in the company environment. For example, a com-pany might blacklist peer-to-peer fi le sharing on its systems. In addition to soft ware, people, devices, and Web sites can also be whitelisted and blacklisted.

Encryption. When organizations do not have a secure channel for sending information, they use encryption to stop unauthorized eavesdroppers. Encryption is the process of con-verting an original message into a form that cannot be read by anyone except the intended receiver.

All encryption systems use a key, which is the code that scrambles, and then decodes, the messages. Th e majority of encryption systems use public-key encryption. Public-key encryption —also known as asymmetric encryption —uses two diff erent keys: a public key and a private key (see Figure 7.4). Th e public key and the private key are created simultaneously using the same mathematical formula or algorithm. Because the two keys are mathemati-cally related, the data encrypted with one key can be decrypted by using the other key. Th e public key is publicly available in a directory that all parties can access. Th e private key is kept secret, never shared with anyone, and never sent across the Internet. In this system, if Alice wants to send a message to Bob, she fi rst obtains Bob’s public key, which she uses to encrypt (scramble) her message. When Bob receives Alice’s message, he uses his private key to decrypt (unscramble) it.

Although this system is adequate for personal information, organizations doing busi-ness over the Internet require a more complex system. In such cases, a third party, called a certificate authority , acts as a trusted intermediary between companies. As such, the certifi cate authority issues digital certifi cates and verifi es the worth and integrity of the certifi cates. A digital certificate is an electronic document attached to a fi le certifying



that the fi le is from the organization it claims to be from and has not been modified from its original format. As you can see in Figure 7.5, Sony requests a digital certifi cate from VeriSign , a certifi cate authority, and uses this certifi cate when doing business with Dell. Note that the digital certifi cate contains an identifi cation number, the issuer, valid-ity dates, and the requester’s public key. For examples of certifi cate authorities, see www.en t rust.com, www.verisign.com, www.cybertrust.com, www. s ecude.com, and www.tha w te.com. Virtual Private Networking. A virtual private network (VPN) is a private network that uses a public network (usually the Internet) to connect users. As such, VPNs integrate the global connectivity of the Internet with the security of a private network and thereby extend the reach of the organization’s networks. VPNs are called “virtual” because they have no separate physical existence. Th ey use the public Internet as their infrastructure. Th ey create a virtual private network by using log-ins, encryption, and other techniques to enhance privacy.

VPNs have several advantages. First, they allow remote users to access the company network. Second, they allow fl exibility. Th at is, mobile users can access the organiza-tion’s network from properly confi gured remote devices. Th ird, organizations can impose their security policies through VPNs . For example, an organization may dictate that only corporate e-mail applications are available to users when they connect from unmanaged devices.

To provide secure transmissions, VPNs use a process called tunneling. Tunneling encrypts each data packet to be sent and places each encrypted packet inside another packet. In this

Figure 7.4 How public key encryption works. (Omnisec AG.)

Alice phone

Bob’s publickey

Bob’s privatekey

Encrypt Decrypt

Bob

Bob’s privatekey

CarolAlice David

others

Bob’s publickey

phone Bob

fax fax



manner, the packet can travel across the Internet with confi dentiality, authentication, and integrity. Figure 7.6 illustrates a VPN and tunneling. Secure Socket Layer (SSL). Secure socket layer , now called transport layer security (TLS) , is an encryption standard used for secure transactions such as credit card purchases and online banking. TLS encrypts and decrypts data between a Web server and a browser end to end.

TLS is indicated by a URL that begins with https rather than http, and it oft en includes a small padlock icon in the browser’s status bar. Using a padlock icon to indicate a secure connection, and placing this icon in a browser’s status bar, are artifacts of specifi c browsers. Other browsers use other icons (e.g., a key that is either broken or whole). Th e important thing to remember here is that browsers usually provide visual confi rmation of a secure connection. Employee Monitoring Systems. Many companies are taking a proactive approach to protecting their networks from what they view as one of their major security threats, namely employee mistakes. Th ese companies are implementing employee monitoring systems , which monitor their employees’ computers, e-mail activities, and Internet surfi ng activities.

VeriSign createsdigital certificate

for Sony

Sony requestsdigital certificate

from VeriSign

VeriSign transmits digital certificate to Sony

Sony presents digital certificate to Dellfor authentication purposes

Dell

Sony VeriSign DigitalCertificate

Number: 12691Issuer: VeriSignValid From 7/1/10 to 6/30/11Sony

Sony public key 0110111010110001

1 2

3

4

Figure 7.5 How digital certifi cates work. Sony and Dell, business partners, use a digital certifi cate from VeriSign for authentication.

INTERNET

TunnelYour

business partner’sintranet

Your organization’s

intranetData

Figure 7.6 Virtual private network and tunneling.



Th ese products are useful to identify employees who spend too much time surfi ng on the Internet for personal reasons, who visit questionable Web sites, or who download music illegally. Vendors that provide monitoring soft ware include SpectorSoft (www.spect o rsoft.com) and Websense (www.web s ense.com).

Business Continuity Planning An important strategy for organizations is to be prepared for any eventuality. A critical element in any security system is a business continuity plan, also known as a disaster recovery plan.

Business continuity is the chain of events linking planning to protection and to recov-ery. Th e purpose of the business continuity plan is to provide guidance to people who keep the business operating aft er a disaster occurs. Using this plan, employees prepare for, react to, and recover from events that aff ect the security of information assets and the subsequent restoration to normal business operations. Th e plan helps to ensure that critical business functions continue.

In the event of a major disaster, organizations can employ several strategies for busi-ness continuity. Th ese strategies include hot sites, warm sites, and cold sites. A hot site is a fully confi gured computer facility, with all services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone sys-tems, applications, and workstations. A warm site provides many of the same services and options of the hot site. However, a warm site typically does not include the actual applica-tions the company needs. A warm site does include computing equipment such as servers, but it oft en does not include user workstations. A cold site provides only rudimentary ser-vices and facilities, such as a building or room with heating, air conditioning, and humidity control. Th is type of site provides no computer hardware or user workstations. Th e point of a cold site is that it takes care of long lead-time issues. Building, or even renting, space takes a long time. Installing high-speed communication lines, oft en from two or more carriers, takes a long time. Installing high-capacity power lines takes a long time. By comparison, buying and installing servers should not take a particularly long time.

Hot sites reduce risk to the greatest extent, but they are the most expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option.

Information Systems Auditing Companies implement security controls to ensure that information systems work properly. Th ese controls can be installed in the original system, or they can be added aft er a system is in operation. Installing controls is necessary but not suffi cient to provide adequate security. In addition, people responsible for security need to answer questions such as these: Are all controls installed as intended? Are they eff ective? Has any breach of security occurred? If so, what actions are required to prevent future breaches?

Th ese questions must be answered by independent and unbiased observers. Such observers perform the task of information systems auditing . In an IS environment, an audit is an examination of information systems, their inputs, outputs, and processing. Types of Auditors and Audits. Th e two types of auditors and audits are internal and external. IS auditing is usually a part of accounting internal auditing, and it is frequently performed by corporate internal auditors. An external auditor reviews the fi ndings of the internal audit as well as the inputs, processing, and outputs of information systems. Th e external audit of information systems is frequently a part of the overall external auditing performed by a certifi ed public accounting (CPA) fi rm.

IS auditing considers all potential hazards and controls in information systems. It focuses on topics such as operations, data integrity, soft ware applications, security and pri-vacy, budgets and expenditures, cost control, and productivity. Guidelines are available to assist auditors in their jobs, such as those from ISACA (formerly the Information Systems Audit and Control Association, www.is a ca.org) . How Is Auditing Executed? IS auditing procedures fall into three categories: (1) auditing around the computer, (2) auditing through the computer, and (3) auditing with the computer.



Auditing around the computer means verifying processing by checking for known out-puts using specifi c inputs. Th is approach is best used in systems with limited outputs. In auditing through the computer, inputs, outputs, and processing are checked. Auditors review program logic and test data. Auditing with the computer means using a combination of client data, auditor soft ware, and client and auditor hardware. Th is approach allows the auditor to perform tasks such as simulating payroll program logic using live data.

BEFORE YOU GO ON . . . 1. What is the single most important information security control for

organizations? 2. Differentiate between authentication and authorization. Which one of

these always comes fi rst? 3. Compare and contrast whitelisting and blacklisting. 4. What is the purpose of a disaster recovery plan? 5. What is information system auditing?


1. What security controls should Ruben and Lisa put in place to help ensure the safety of sensitive customer information?

2. Should Ruben and Lisa put these controls in place, or should they hire a third-party vendor to put them in place?


Objective: The objective of this exercise is to become familiar with security controls.

Chapter Connection: This case relates to Chapter 7, Section 7.5 on information security controls. Security controls are designed to protect all of the components of an information system, including data, software, hardware, and networks. Because there are so many diverse threats, organizations utilize layers of controls. This activity focuses on one of these.

Prerequisites: Before doing this exercise, you should read Section 7.5 to become familiar with security controls.

Activity: Public key encryption is used in sending data you want to keep secure.

View the following video: http://www.youtube.com/watch?v=a72fHRr6MRU

Read about public key encryption: http://computer.howstuffworks.com/encryption3.htm

Deliverables:Prepare answers to the following questions:

1. What is the difference between the public key and the private key? How is each used?

2. Public key encryption requires how many keys to work?

3. What is encryption?

4. What is the problem with using only one key or private key encryption?


1. How many keys does public key encryption use?

(a) 1(b) 2 (c) 3(d) 4

2. Who knows the private key?

(a) The company(b) The computer



(c) The receiver(d) All of the above

3. Who knows the public key?

(a) Only the computer(b) Only the receiver (c) Only the customers(d) All who want to communicate securely with the

receiver

4. The key pairs are based on

(a) Only even numbers(b) Only odd numbers

(c) Only prime numbers(d) Only numbers divisible by 5

Discussion Questions:Discuss the benefi ts of public key encryption (two keys) over private key encryption (one key). What is the problem with using only one key? What is the benefi t of using two keys?

FOR THE ACCOUNTING MAJORPublic companies, their accountants, and their auditors have signifi cant infor-mation security responsibilities. Accountants are now being held professionally responsible for reducing risk, ensuring compliance, eliminating fraud, and increas-

ing the transparency of transactions according to generally accepted accounting princi-ples (GAAP). Th e Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB), among other regulatory agencies, require informa-tion security, fraud prevention and detection, and internal controls over fi nancial reporting. Forensic accounting, a combination of accounting and information security, is one of the most rapidly growing areas in accounting today.

FOR THE FINANCE MAJORBecause information security is essential to the success of organizations today, it is no longer just the concern of the chief information offi cer (CIO). As a result of global regulatory requirements and the passage of Sarbanes-Oxley, responsibility for information security lies with the chief executive offi cer (CEO) and chief fi nan-

cial offi cer (CFO). Consequently, all aspects of the security audit, including the security of information and information systems, are a key concern for fi nancial managers.

In addition, CFOs and treasurers are increasingly involved with investments in infor-mation technology. Th ey know that a security breach of any kind can have devastating fi nancial eff ects on a company. Banking and fi nancial institutions are prime targets for computer criminals. A related problem is fraud involving stocks and bonds that are sold over the Internet. Finance personnel must be aware of both the hazards and the available controls associated with these activities.

FOR THE MARKETING MAJORMarketing professionals have new opportunities to collect data on their custom-ers (e.g., through business-to-consumer electronic commerce). Customers expect their data to be properly secured. However, profi t-motivated criminals want that

What’s in for ME?IT



data. Th erefore, marketing managers must analyze the risk of their operations. Failure to protect corporate and customer data will cause signifi cant public relations problems and make customers very angry. Customer relationship management (CRM) operations and tracking customers’ online buying habits can expose data to misuse (if they are not encrypted) or result in privacy violations.

FOR THE PRODUCTION/OPERATIONS MANAGEMENT MAJOR

Every process in a company’s operations—inventory purchasing, receiving, quality control, production, and shipping—can be disrupted by an information technology security breach or an IT security breach at a business partner. Any weak link in supply chain management or enterprise resource management systems puts the entire chain

at risk. Companies may be held liable for IT security failures that impact other companies.

FOR THE HUMAN RESOURCES MANAGEMENT MAJOR

HR managers have responsibilities to secure confi dential employee data. In addi-tion, they must ensure that all employees explicitly verify that they understand the company’s information security policies and procedures.

FOR THE MIS MAJORTh e MIS function provides the security infrastructure that protects the organiza-tion’s information assets. Th is function is critical to the success of the organization, even though it is almost invisible until an attack succeeds. All application devel-opment, network deployment, and introduction of new information technologies

have to be guided by IT security considerations. MIS personnel must customize the risk-exposure security model to help the company identify security risks and prepare responses to security incidents and disasters.

Senior executives of publicly held companies look to the MIS function for help in meeting Sarbanes-Oxley requirements, particularly in detecting “signifi cant defi ciencies” or “material weaknesses” in internal controls and remediating them. Other functional areas also look to the MIS function to help them meet their security responsibilities.

>>> S U M M A RY

1. Discuss the fi ve factors contributing to the increasing vulnerability of information resources and give one specifi c example of each factor.

Th e fi ve factors are:

> Today’s interconnected, interdependent, wirelessly networked business environment

>> Example: the Internet

> Smaller, faster, cheaper computers and storage devices

>> Examples: netbooks , thumb drives, iPads

> Decreasing skills necessary to be a computer hacker

>> Example: information system hacking programs circulating on the Internet

> International organized crime taking over cybercrime

>> Example: Organized crime has formed transnational cybercrime cartels. Because it is diffi cult to know exactly where cyberattacks originate, these cartels are extremely hard to bring to justice.


Summary 267

> Lack of management support

>> Example: Suppose that your company spent $10 million on information security countermeasures last year and experienced no successful attacks on information resources. Shortsighted management might conclude that the company could spend less during the next year and obtain the same results. Bad idea.

2. Compare and contrast human mistakes and social engineering, and give a specifi c example of each.

Human mistakes are unintentional errors. However, employees can also make unintentional mistakes as a result of actions by an attacker, such as social engineering. Social engineering is an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confi dential company information.

An example of a human mistake is tailgating. An example of social engineering is when an attacker calls an employee on the phone and impersonates a superior in the company.

3. Describe the types of deliberate attacks.

Th e types of deliberate attacks are:

> Espionage or trespass occurs when an unauthorized individual attempts to gain illegal access to organizational information.

> Information extortion occurs when an attacker either threatens to steal, or actually steals, information from a company. Th e perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.

> Sabotage and vandalism are deliberate acts that involve defacing an organization’s Web site, possibly causing the organization to lose its image and experience a loss of confi dence by its customers due to sabotage or vandalism.

> Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage, making these devices easier and more valuable to steal .

> Identity theft is the deliberate assumption of another person’s identity, usually to gain access to his or her fi nancial information or to frame him or her for a crime.

> Protecting intellectual property is a vital issue for people who make their livelihood in knowledge fi elds. Protecting intellectual property is particularly diffi cult when that property is in digital form.

> Soft ware attacks occur when malicious soft ware penetrates a computer system. Today, these attacks are typically profi t driven and Web based.

> Alien soft ware is clandestine soft ware that is installed on a computer through duplicitous methods. Alien soft ware uses valuable system resources and can report on your Web surfi ng habits and other personal behavior.

> Supervisory control and data acquisition (SCADA) refers to a large-scale, distributed, measurement and control system. SCADA systems are used to monitor or to control chemical, physical, or transport processes. A SCADA attack attempts to compromise such a system in order to cause damage to the real-world processes that the system controls.

> With both cyberterrorism and cyberwarfare , attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, usually to carry out a political agenda.

4. Defi ne the three risk mitigation strategies, and give an example of each in the context of you owning a home.

Th e three risk mitigation strategies are:

> With risk acceptance , the organization accepts the potential risk, continues operating with no controls, and absorbs any damages that occur. If you own a home, you may decide not to insure it. Th us, you are practicing risk acceptance. Clearly, this is a bad idea.

> With risk limitation , the organization limits the risk by implementing controls that minimize the impact of threats. As a home owner, you practice risk limitation by putting in an alarm system or by cutting down weak trees near your house.

> With risk transference , the organization transfers the risk by using other means to compensate for the loss, such as by purchasing insurance. Th e vast majority of home owners practice risk transference by purchasing insurance on their houses and contents.

5. Identify the three major types of controls that organizations can use to protect their information resources, and give an example of each.

Physical controls prevent unauthorized individuals from gaining access to a company’s facilities. Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm systems. More sophisticated physical controls include pressure sensors, temperature sensors, and motion detectors.

Access controls restrict unauthorized individuals from using information resources. Th ese controls involve two major functions: authentication and authorization. Authentication determines the identity of the person requiring access. As an example, authentication can be established through the use



>>> CHAPTER GLOSSARY

of biometrics. Aft er the person is authenticated (identifi ed), authorization is applied. Authorization determines which actions, rights, or privileges the person has, based on veri-fi ed identity. As an example, authorization is based on least privilege.

Communications (network) controls secure the movement of data across networks. Communications controls consist of fi rewalls, anti- malware systems, whitelisting and blacklisting, encryption, virtual private networking (VPN), secure socket layer (SSL), and vulnerability management systems.

access controls Controls that restrict unauthorized individuals from using information resources and are concerned with user identifi cation.

adware Alien soft ware designed to help pop-up advertisements appear on your screen.

alien software Clandestine soft ware that is installed on a com-puter through duplicitous methods.

anti- malware systems (antivirus software) Soft ware pack-ages that attempt to identify and eliminate viruses, worms, and other malicious soft ware.

audit An examination of information systems, their inputs, outputs, and processing.

authentication A process that determines the identity of the person requiring access.

authorization A process that determines which actions, rights, or privileges the person has, based on verifi ed identity.

back door (also known as trap door ) Typically a password, known only to the attacker, that allows the attacker to access the system without having to go through any security procedures.

biometrics Th e science and technology of authentication (i.e., establishing the identity of an individual) by measuring the subject’s physiologic or behavioral characteristics.

blacklisting A process in which a company identifi es certain types of soft ware that are not allowed to run in the company environment.

certificate authority A third party that acts as a trusted intermediary between computers (and companies) by issuing digital certificates and verifying the worth and integrity of the certificates.

cold site A backup location that provides only rudimentary services and facilities.

communications (network) controls Controls that deal with the movement of data across networks.

controls Defense mechanisms (also called countermeasures ).

cookies Small amounts of information that Web sites store on your computer, temporarily or more-or-less permanently.

copyright A grant that provides the creator of intellectual prop-erty with ownership of it for the life of the creator plus 70 years.

cybercrime Illegal activities executed on the Internet.

cyberterrorism Can be defi ned as a premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against noncombatant targets by subnational groups or clandestine agents.

cyberwarfare War in which a country’s information systems could be paralyzed from a massive attack by destructive soft ware.

demilitarized zone (DMZ) A separate organizational local area network that is located between an organization’s internal network and an external network, usually the Internet.

denial-of-service attack A cyberattack in which an attacker sends a fl ood of data packets to the target computer, with the aim of overloading its resources.

digital certificate An electronic document attached to a fi le cer-tifying that this fi le is from the organization it claims to be from and has not been modifi ed from its original format or content.

distributed denial-of-service ( DDoS ) A denial-of-service attack that sends a fl ood of data packets from many compromised computers simultaneously.

employee monitoring systems Systems that monitor employees’ computers, e-mail activities, and Internet surfi ng activities.

encryption Th e process of converting an original message into a form that cannot be read by anyone except the intended receiver.

exposure Th e harm, loss, or damage that can result if a threat compromises an information resource.

firewall A system (either hardware, soft ware, or a combination of both) that prevents a specifi c type of information from moving between untrusted networks, such as the Internet, and private net-works, such as your company’s network.

hot site A fully confi gured computer facility, with all information resources and services, communications links, and physical plant operations, that duplicate a company’s computing resources and provide near real-time recovery of IT operations.

identity theft Crime in which someone uses the personal infor-mation of others to create a false identity and then uses it for some fraud.

information security Protecting an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modifi cation, or destruction.

information systems controls Th e procedures, devices, or soft -ware aimed at preventing a compromise to a system.


Chapter Glossary 269

intellectual property Th e intangible property created by indi-viduals or corporations that is protected under trade secret, patent, and copyright laws.

keystroke loggers ( keyloggers ) Hardware or soft ware that can detect all keystrokes made on a compromised computer.

least privilege A principle that users be granted the privilege for some activity only if there is a justifi able need to grant this authorization.

logic bomb Segments of computer code embedded within an organization’s existing computer programs.

malware malicious soft ware such as viruses and worms.

network controls ( see communications controls ).

passphrase A series of characters that is longer than a password but that can be memorized easily.

passwords Private combinations of characters that only the user should know.

patent A document that grants the holder exclusive rights on an invention or process for 20 years.

phishing attack An attack that uses deception to fraudulently acquire sensitive personal information by masquerading as an offi cial-looking e-mail.

physical controls Controls that restrict unauthorized individuals from gaining access to a company’s computer facilities.

piracy Copying a soft ware program (other than freeware, demo soft ware, etc.) without making payment to the owner.

privacy Th e right to be left alone and to be free of unreasonable personal intrusion.

privilege A collection of related computer system operations that can be performed by users of the system.

public-key encryption (also called asymmetric encryption ) A type of encryption that uses two diff erent keys: a public key and a private key.

risk Th e likelihood that a threat will occur.

risk acceptance A strategy in which the organization accepts the potential risk, continues to operate with no controls, and absorbs any damages that occur.

risk analysis The process by which an organization assesses the value of each asset being protected, estimates the probability that each asset might be compromised, and compares the prob-able costs of each being compromised with the costs of protect-ing it.

risk limitation A strategy in which the organization limits its risk by implementing controls that minimize the impact of a threat.

risk management A process that identifi es, controls, and mini-mizes the impact of threats, in an eff ort to reduce risk to manageable levels.

risk mitigation A process whereby the organization takes con-crete actions against risks, such as implementing controls and devel-oping a disaster recovery plan.

risk transference A process in which the organization transfers the risk by using other means to compensate for a loss, such as by purchasing insurance.

SCADA (Supervisory Control and Data Acquisition) Large-scale, distributed, measurement and control systems used to monitor or to control chemical, physical, or transport processes.

secure socket layer ( SSL ) (also known as transport layer secu-rity ) An encryption standard used for secure transactions such as credit card purchases and online banking.

security Th e degree of protection against criminal activity, danger, damage, and/or loss.

signature recognition Th e user signs his or her name, and the system matches this signature with one previously recorded under controlled, monitored conditions.

social engineering Getting around security systems by tricking computer users inside a company into revealing sensitive informa-tion or gaining unauthorized access privileges.

spam Unsolicited e-mail.

spamware Alien soft ware that uses your computer as a launch platform for spammers.

spyware Alien soft ware that can record keystrokes and/or capture passwords.

strong passwords Passwords that are diffi cult to guess; longer rather than shorter; contain uppercase and lowercase letters, num-bers, and special characters; and are not a recognizable word or string of numbers.

threat Any danger to which an information resource may be exposed.

trade secret Intellectual work, such as a business plan, that is a company secret and is not based on public information.

transport layer security (TLS) ( see secure socket layer ).

trap doors ( see back door ).

Trojan horse A soft ware program containing a hidden function that presents a security risk.

tunneling A process that encrypts each data packet to be sent and places each encrypted packet inside another packet.

virtual private network (VPN) A private network that uses a public network (usually the Internet) to securely connect users by using encryption.

virus Malicious computer code that can attach itself to (or “infect”) other computer programs without the owner of the program being aware of the infection.

voice recognition Th e user speaks a phrase that has been pre-viously recorded under controlled, monitored conditions, and the voice recognition system matches the two voice signals.

vulnerability Th e possibility that an information resource will suff er harm by a threat.

warm site A site that provides many of the same services and options of a hot site but does not include the company’s applications.



whitelisting A process in which a company identifi es acceptable soft ware and permits it to run, and either prevents anything else from running or lets new soft ware run in a quarantined environ-ment until the company can verify its validity.

worm Destructive computer code that replicates itself with-out requiring another program to provide a safe environment for replication.

>>> DISCUSSION QUESTIONS

1. Why are computer systems so vulnerable? 2. Why should information security be of prime concern to

management? 3. Is security a technical issue? A business issue? Both?

Support your answer. Hint: Read Kim Nash, “Why Technology Isn’t the Answer to Better Security,” CIO (ww w .cio.com), October 15, 2008.

4. Compare information security in an organization with insuring a house.

5. Why are authentication and authorization important to e-commerce?

6. Why is cross-border cybercrime expanding rapidly? Discuss possible solutions.

7. Discuss why the Sarbanes-Oxley Act is having an impact on information security.

8. What types of user authentication are used at your university and/or place of work? Do these authentication measures seem to be eff ective? What if a higher level of authentication were implemented? Would it be worth it, or would it decrease productivity?

9. Why are federal government authorities so worried about SCADA attacks?

>>> PROBLEM-SOLVING ACTIVITIES

1. A critical problem is assessing how far a company is legally obligated to go in order to secure personal data. Because there is no such thing as perfect security (i.e., there is always more that can be done), resolving this question can signifi cantly aff ect cost.

a. When are security measures that a company implements suffi cient to comply with its obligations?

b. Is there any way for a company to know if its security measures are suffi cient? Can you devise a method for any organization to determine if its security measures are suffi cient?

2. Assume that the daily probability of a major earthquake in Los Angeles is .07 percent. Th e chance of your computer center being damaged during such a quake is 5 percent. If the center is damaged, the average estimated damage will be $4.0 million.

a. Calculate the expected loss in dollars. b. An insurance agent is willing to insure your facility

for an annual fee of $25,000. Analyze the off er, and discuss whether to accept it.

3. Enter www.scambu s te r s.org. Find out what the organization does. Learn about e-mail scams and Web site scams. Report your fi ndings.

4. Visit www.dhs.gov/index.shtm (Department of Homeland Security). Search the site for “National Strategy to Secure

Cyberspace,” and write a report on the agency’s agenda and accomplishments to date.

5. Enter www.alltr u s tnetworks.com and other vendors of biometrics. Find the devices they make that can be used to control access into information systems. Prepare a list of products and major capabilities of each.

6. Soft ware piracy is a global problem. Access the following Web sites: www.b s a.org and www.m i crosoft.com/piracy. What can organizations do to mitigate this problem? Are some organizations dealing with the problem better than others?

7. Investigate the Sony Playstation Network hack that occurred in April 2011.

a. What type of attack was it? b. Was the success of the attack due to technology

problems at Sony, management problems at Sony, or a combination of both? Provide specifi c examples to support your answer.

c. Which Sony controls failed? d. Could Sony have prevented the hack? If so, how? e. Discuss Sony’s response to the hack. f. Describe the damages that Sony incurred from the

successful hack.


Closing Case 1 271

>>> TEAM ASSIGNMENTS

1. Access www.f t c.g o v/sentinel to learn more about how law enforcement agencies around the world work together to fi ght consumer fraud. Each team should obtain current statistics on one of the top fi ve consumer complaint categories and prepare a report. Are any categories growing faster than others? Are any categories more prevalent in certain parts of the world?

2. Read “In the Matter of BJ’s Wholesale Club, Inc., Agreement containing Consent Order, FTC File No. 042 3160, June 16, 2005” at www.ftc. g ov/opa/2005/ 0 6/bjswholesale.htm. Describe the security breach at BJ’s

Wholesale Club. What was the reason for this agreement? Identify some of the causes of the security breach and how BJ’s can better defend itself against hackers and legal liability.

3. Read the article “Th e Security Tools You Need” at http://www.pcworld.com/downl o ads/collection/collid,1525/files.html. Each team should download a product and discuss its pros and cons for the class. Be sure to take a look at all the comments posted about this article.

CLOSING CASE 1 > Cybercriminals Use Social

Networks for Targeted Attacks

Each infected personal computer in a corporate network represents a potential point of access to valuable intellectual property, such as customer information, patents, and stra-tegic documents. Th e attackers who breached Google and 30 other technology, media, defense, and fi nancial companies from mid- to late 2009 were aft er these kinds of infor-mation. Dubbed Operation Aurora by cyber security company McAfee (www.mcafee.com), the attacks were likely initiated by fake friendly messages sent to specifi c employ-ees at the targeted companies. How do such attacks work? Take a look at the following example.

Bob works for a large U.S. fi nancial company. Somehow, attackers gained access to Bob’s Facebook account, logged into it, grabbed his contact list of 50 to 60 friends, and began manually reviewing messages and postings on his profi le page. Th e attackers noted discussions about a recent company picnic and sent individual messages to Bob’s friends who worked at his company.

Alice, one of Bob’s co-workers, received a Facebook message from Bob, asking her to take a look at pictures from the company picnic. She had, in fact, attended the picnic with Bob. When she clicked on the accompanying Web link, she expected to see Bob’s pic-tures, but the message had come from the attackers and the link carried malicious soft ware ( malware ).

Upon clicking on the link, Alice unknowingly downloaded a keystroke logger, which was designed to save everything she typed at her keyboard and, once per hour, send a text fi le of all her keystrokes to a free Gmail account controlled by the attackers. (Th e keystroke logger was available free on the Internet.) Th e attackers reviewed Alice’s hourly keystroke reports and noted when she logged into a virtual private network account to access her company’s network. With her username and password, the attackers logged on to the fi nancial fi rm’s network and gained access to the company’s servers and all the sensitive information they contain. Th e attackers also took control of Alice’s computer without her knowing it. As such, her computer became a zombie computer, under the control of the attackers.

Successful breaches, such as the preceding example, illustrate a shift in the way cyber-criminals attack their targets. Th ey are aggressively taking advantage of an unanticipated hole in corporate defenses: the use of social networks in corporate settings. Th ey are using the personal information provided by individuals communicating on social networks.

<<<THE PROBLEM



Th ese networks provide a rich repository of information that cybercriminals can use to more precisely target individual corporate employees through phishing attacks. (A phish-ing attack is an attack that uses deception to fraudulently acquire sensitive information by masquerading as an authentic-looking e-mail.) In fact, the attacks are so precisely targeted that they have a new name, spear fi shing. (Spear fi shing attacks are phishing attacks that target specifi c individuals.)

In addition to copying or stealing sensitive personal and corporate information, attackers combine many zombie computers into botnets , which can contain millions of computers. Th e attackers then use these botnets to execute all forms of cybercrime .

In just four weeks in early 2010, cyberthieves known as the Kneber gang stole 3,644 usernames and passwords for Facebook accounts from individuals in over 2,000 companies. Stolen credentials like these fl ow into hacking Web sites where a batch of 1,000 Facebook username and password pairs, guaranteed valid, sell for $75 to $200, depending on the number of “friends” tied to the accounts. From each account, thieves can gather up e-mail addresses, contact lists, birth dates, hometowns, mothers’ maiden names, photos, and recent gossip—all useful for targeting specifi c victims and turning their computers into zombies.

In another example of attacks on social networking sites, the Koobface worm targets users of social networking Web sites, including Facebook (its name is an anagram of Face-book ), Twitter, MySpace , hi5, Bebo , Friendster , and others. A study by the Information Warfare Monitor (www.info w ar-monitor.net) revealed that the operators of the Koobface worm generated over $2 million in revenue from June 2009 to June 2010. Kaspersky Labs (http:// u sa.kaspersky.com), a security fi rm, estimates that 500,000 Koobface -controlled personal computers are active on the Internet on any given day.

Facebook , the dominant social network and, therefore, the biggest target, is partnering with Microsoft and security fi rm McAfee to help fi lter malicious programs. A Facebook spokesperson said that this process should keep compromised accounts to a minimum. Th e spokesperson went on to say that Facebook is “constantly working to improve complex systems that quickly detect and block suspicious activity, delete malicious links, and help people restore access to their accounts.”

Unfortunately, vulnerabilities in social networking Web sites continue to be exploited. Many owners of infected zombie computers do not know that their computers are com-promised. Th e best solution that will yield the best results is for all users of social networks to be extremely careful of what information they post on their pages. Further, all computer users must not click on any link in an e-mail, even if that e-mail comes from a supposedly trusted source.

However, there is some good news. Social networking users in the United States, more than any other country, limit the personal information they post and set privacy settings to restrict who can view their information. Th is fi nding comes from the 2010 Unisys Secu-rity Index, a bi-annual study conducted by market research company Lieberman Research Group (www.liebermanrese a rch.com).

Questions

1. Describe the diff erence between phishing attacks and spear fi shing attacks. Which attack is the most dangerous? Be specifi c as you support your answer.

2. What are specifi c actions that you can take to decrease your vulnerability to such attacks?

Sources : Compiled from “Information Security Experts at Facebook Fix Vulnerability Discovered by Indiana University Students,” EzineMark.com , February 3, 2011; R. McMillan, “Five 2010 Stories Th at Nobody Predicted,” CIO , January 3, 2011; T. Eston , “Social Networks’ Th reat to Security,” InformationWeek , October 30, 2010;

AN ATTEMPTED SOLUTION>>>

THE RESULTS>>>


Closing Case 2 273

M. Schwartz, “Americans Maximize Social Network Security,” InformationWeek , October 27, 2010; A. Freed, “Enterprise Information Security and Social Networks,” Infosec Island , October 25, 2010; M. Schwartz, “Social Networks Pose Security Risks to SMBs ,” InformationWeek , September 14, 2010; A. Diana, “Employees Flout Social Network Security Policies,” InformationWeek , July 23, 2010; M. Schwartz, “Social Network Security Policies Lacking,” InformationWeek , June 28, 2010; “ Facebook Fixes Bug Th at Exposed Private Chats,” CIO , May 5, 2010; N. Roiter , “Tweet Th is: Social Network Security Is Risky Business,” Computerworld , March 4, 2010; B. Acohido , “An Invita-tion to Crime,” USA Today , March 4, 2010; Admin, “Hacking a Corporate Network with Facebook ,” Information Security Resources , January 12, 2010.

CLOSING CASE 2 >

Who Is Minding the Security Store?

On Wednesday, April 21, 2010, computers in companies, hospitals, and schools around the world got stuck repeatedly rebooting themselves aft er an antivirus program from security vendor McAfee (www.mcafee.com) identifi ed a normal Windows fi le as a virus. Only com-puters running Windows XP Service Pack 3 in combination with McAfee VirusScan 8.7 were aff ected. Th e problems were widespread.

• About a third of the hospitals in Rhode Island had to postpone elective surgeries and stop treating patients without traumas in emergency rooms.

• In Kentucky, state police offi cers were told to shut down the computers in their patrol cars as technicians tried to fi x the problem.

• Th e National Science Foundation in Arlington, Virginia, lost computer access. • At Illinois State University in Normal, Illinois, dozens of computers in the College of

Business became inoperable. McAfee pushes daily updates to its corporate customers, and the April 21, 2010, update

was intended to detect and destroy a minor threat, the “W32/wecorl.a” virus. However, the update incorrectly identifi ed the critical “svchost.exe” fi le in Windows XP Service Pack 3 as malicious soft ware and then quarantined it. In some cases, the update actually deleted the fi le. Without svchost.exe a Windows personal computer will not boot (start up) correctly.

When users applied the McAfee update and then rebooted their computers, the com-puters crashed and rebooted repeatedly. Most of these computers lost all network capability as well. Adding to these problems, some computers became unable to recognize their own USB drives. Th is problem turned out to be major, since recovery required the reinstallation of svchost.exe, a process that could be done more easily by walking a fl ash drive from one crippled computer to the next.

Because virtually all the aff ected personal computers were unable to connect to a network, corporate IT personnel had to manually fi x each machine. (Of course, this process became much more diffi cult if the aff ected computers could not even recog-nize their own USB drives.)

Later on Wednesday, McAfee spelled out the steps to take in a document on its Web site. On Th ursday, the company made available a semi-automated tool that should be run on aff ected computers aft er entering Windows’ Safe Mode.

McAfee took two days (until April 23, 2010) to post on its Web site an FAQ (list of frequently asked questions) concerning the update disaster. Late on April 23, McAfee’s home page contained a link to a blog post by McAfee’s Barry McPherson, which attempted to minimize the issue. (Interestingly, McPherson was McAfee’s executive vice president of support and customer service, not its CEO.) McPherson pledged that McAfee would improve its quality assurance processes to see that this problem did not reoccur.

<<<THE PROBLEM

<<<THE SOLUTION

<<<THE RESULTS

Bnp


Most large McAfee customers had their computers up and running in two days or less. However, a number of small businesses that did not have IT departments were still trying to fi x their computers several days later.

Interestingly, perhaps modern organizations are somewhat to blame for this problem. Today, organizations are pushing for more rapid updates to their antivirus soft ware to mini-mize their exposure time to new malware threats. Correspondingly, antivirus vendors have speeded up the delivery of their soft ware updates in an attempt to match the pace of new malware development by hackers. Th ese rapid updates could cause security vendors to make mistakes in their quality control procedures, which you have seen happened to McAfee.

Questions

1. Discuss McAfee’s handling of the update disaster. Should McAfee have done anything diff erently? If so, what? Support your answer.

2. What should organizations do to prevent such problems in the future?

Sources: Compiled from G. Keizer , “McAfee Apologizes for Crippling PCs with Bad Update,” Computerworld , April 23, 2010; “McAfee Antivirus Program Goes Berserk, Freezes PCs,” Th e Economic Times , April 22, 2010; A. Kingsley-Hughes, “McAfee Issues Fix, and Apology, for Hosed XP SP3 PCs,” ZDNET.com , April 22, 2010; G. Keizer , “Th e McAfee Update Mess Explained,” PC World , April 22, 2010; E. Bott , “McAfee Admits ‘Inadequate’ Quality Control Caused PC Meltdown,” ZDNET.com , April 22, 2010; S. Choney , “Some Still Recovering from McAfee PC Problem,” MSNBC.com , April 22, 2010; “McAfee Program Goes Berserk, Reboots PCs,” MSNBC.com , April 21, 2010.

Ruben and Lisa have decided to employ a third party to handle their electronic commerce transactions (electronic commerce is presented in Chapter 9). Th ey do not want to store any customer payment information on their Web site. While they realize they are losing some money on each transaction in fees to the e-commerce provider, they consider this fee cost-eff ective risk transfer for them.

Specifi cally, they are considering the Google Checkout, Amazon Stores, eBay Stores, Yahoo! Business, and PayPal as viable possibilities for handling Ruby’s transactions. As their intern, they

want you to research these fi ve companies and provide feedback on each. Have any of them had any recent security breaches? If so, how were they handled, and what were the ramifi cations to customers (the companies provided with the e-commerce tools and the customers of that company)? What do their security policies state?

Aft er you do your research, write Ruben and Lisa a letter (in business format) and make a suggestion as to which company would best suit their needs.

RUBY’S CLUB INTERNSHIP ASSIGNMENTS

Objective: This activity will bring together the ideas of security and formula writing in a spreadsheet. Upon completion, you will be able to take data presented in written form, translate it into numbers, create formulas, and then rank security issues based on the spreadsheet you create.

Chapter Connection: Security issues are not all created equal. Some are frequent and inexpensive to overcome; others are rare and costly. Intentional and unintentional threats must be dealt with. But as a network manager, how do you know what deserves the most resources? Given that you never know where

SPREADSHEET ACT IV ITY



the next threat will come from, how will you allocate resources? This activity will bring this discussion to a spreadsheet and help you apply your math and spreadsheet skills to this very “real-world” situation.

Prerequisites: There are no prerequisites for this activity.

Activity: Consider the following situation. You are the network manager at a local bank. A number of security issues must be dealt with. However, like everyone else, you have limited resources. You only have $10,000 in your budget to allocate to security. This money can be spent on hardware, software, training, or anything else you deem worthy of this money. Here is a list of potential threats.

• Malware. If malware ends up installed on a computer in the system, it could easily spread to the other machines without anyone knowing it is there. The expense of repairing the machines and restoring data are minimal when compared to the cost of rebuilding trust in the consumer. Estimated total cost of marketing and repairing customer trust: $25,000. Probability of occurring: 35 percent. Cost of preventative maintenance and training: $3,500.

• Careless employees. Judy has to run to the restroom. Since she trusts everyone she works with, she walks away from her computer without locking it. While she is away from her desk and her computer is unlocked, Johnny walks in. No one thinks anything about Johnny on Judy’s computer because he is the local “computer guru” even though he is a janitor. While Judy is away and Johnny is on her computer, he transfers a total of $7,500 from over 150 total accounts by running a script in the computer system. When Judy returns, she sees Johnny on the computer and thanks him for watching it, laughing about how she accidentally left it unlocked. Probability of occurring: 5 percent. Cost of preventative maintenance and training: $2,000.

• Cloud computing. Banks rely on many software packages to accomplish their goals. Not the least of these are the many packages run by the home offi ce. These are accessed over the Internet, and private data are transferred back and forth. A hacker who is able to hack into the local system would by default have access to the cloud. The cost of this is monumental. Customer data from across the nation would be compromised. Having a backup of all data is imperative. Keeping employees trained on using the system, avoiding social engineering, changing passwords, and other issues are paramount to help protect the home offi ce and the local offi ce. Total potential loss: $2.5 million. Probability of occurrence: 2.5 percent. Cost of preventative maintenance and training: $7,000.

• Fire. This always a threat. If a fi re breaks out it could be devastating. Loss of technology equipment alone would run close to $20,000. Loss of records would be almost unrecoverable. However, the chance of fi re is relatively low. At a 2 percent chance of fi re, this is a minimal concern. The cost of preventative maintenance is not cheap. Sprinklers have to be inspected, fi re retardant material must be tested, and fi re extinguishers must be replaced. Total preventative maintenance cost is $1,500. However the total potential loss is a devastating $250,000.

Given that most people agree that risk (R) is equal to the consequence (C) multiplied by the probability of occurrence (P):

R � C*PCreate a spreadsheet that calculates this formula. Then use your estimated risk to fi gure the return on security investment (ROSI) that most consider to be equal to risk avoided (R; hopefully it will be avoided by the investment) divided by the cost of preventative maintenance (PM).

ROSI � R/PMThis number represents the “impact” of an investment and can be used to help determine how to create a budget so that the return is maximized. The higher the number, the more of the risk is covered by the investment. Use this number to prioritize where to make security investments.

Since your budget is only $10,000, you will need to determine where to spend your money. According to this scenario, total coverage would cost $14,000. Use the ROSI to recommend a budget. Also provide your spreadsheet for justifi cation of the budget.

Deliverables: The fi nal product will be a spreadsheet formula, ranking, and presentation of a suggested budget.

Quiz Questions:

1. Are all security threats intentional?2. When building a spreadsheet in Microsoft Excel

and copying formula down from the top of a column to the bottom, you move your cursor to (a) The top left corner(b) The top right corner (c) The bottom right corner(d) The bottom left corner (e) You just click and drag anywhere in the cell you

desire to copy.3. Correct formula writing is very important because

of which of the following? (a) An incorrect formula will provide incorrect data

and wrong decisions may be made.

Spreadsheet Activity 275


(b) If an incorrect formula is copied to other cells, the mistake will be multiplied.

(c) If other formulas are built on the answer created by this formula, then the mistake will be compounded.

(d) All of the above.

Discussion Questions:

1. Discuss the advantages and disadvantages of building a formula once and copying it to multiple rows or columns.

2. Discuss the importance of taking verbal or written clues and being able to build a spreadsheet. Is a spreadsheet the ultimate combination of math and business?

3. Given that no one has unlimited resources, is it possible to ever cover all the bases and ensure security? What type of agreement must there be between the business and the consumer for this situation to exist and be acceptable?

DATABASE ACT IV ITY: TABLES II

Objective Information systems need checks to catch errors in the entry of data. Not all errors can be caught, but many can be. You’ll learn a few of the methods here using the following features of Microsoft Access:

• Default values • Range checks • Value checks against a list

Chapter Connection Security includes keeping bad data out of databases. Checking data as entered can prevent many errors and some mischief. Here, you’ll see how Access checks data as it is entered. Other database management systems work in much the same way.

Prerequisites Before you begin this activity, you will need to familiarize yourself with and practice three concepts: default val-ues, validation checks based on a range of valid data, and validation checks against a list. The following sec-tions introduce these concepts and provide practice in dealing with them. Read these sections and complete the brief practice items before moving to the larger activity.

DEFAULT VALUES

A default value is the value a data item has if no other value is entered. Say an Ohio college attracts primarily


students from the Dayton area. Most of its applicants have a home phone in area code 937. A database could pre-enter 937 as the area code of new applicants. The work-study student who enters applicant information into a database can change it for those with different area codes, but having it saves time and reduces errors overall.

To enter a default value for a fi eld in an Access table:

1. Open the table in Design view. 2. Select the fi eld for which you want to specify a

default value. 3. Find the Default Value row in the Field Properties

pane, under the General tab. 4. Click on the right side of this row and key in the

desired value, as shown in Figure 7A.1.

Usage Hint: You can also assign default values and perform validation checks on fi elds in forms instead of in tables. In the form’s Layout or Design view, open its Property Sheet, select a fi eld, select the Data or All tab on the Property Sheet, and continue as above. The check will be applied only to data entered via that form. Checks entered in table defi nitions are applied to all data entered in any way.

5. Go to Datasheet view to confi rm that the default value was entered correctly. You should see the value in the bottom (New) row of the table. If you enter a default value in a form, you won’t see it in the table’s Datasheet view, but you will see it if you enter a new record via the form.


Database Activity 277

RANGE CHECKS

Database designers often need to make sure data are in an allowable range. For example, the quantity of something in an order must be greater than zero, or the year of birth of a pupil entering kindergarten in September 2011 might have to be 2006.

This, by the way, shows one reason for putting checking in a form rather than in the table on which the form is based. Suppose an occasional student born outside the usual year enters kindergarten. The school principal might have a different form, in which it can be 2005–07. Supervisors can often override data entry checks that apply to the workers they supervise.

To enter a range check for a fi eld in an Access table: 1. Open the table in Design view. 2. Select the fi eld for which you want to enter a range

check. 3. In the Field Properties pane below the list of fi elds,

under the General tab, fi nd the Validation Rule row. 4. In the right side of this row, enter an expression

that will evaluate to True or False, and is True for valid data. For example, the expression “�5” (without quotation marks) means the value entered in the fi eld must be greater than 5. The data the user enters is implied to the left of the “�.”

These comparison operators are used in validation expressions:

� (equal to) Seldom useful by itself. If you know what a value must be, why enter it? � (greater than)

� (less than) � � (greater than or equal to) � � (less than or equal to) �� (less than or greater than; that is, not equal to)

In addition, these are often useful in validation and other expressions:

AND requires both the condition on its left and the condition on its right to be met. “� � 0 AND � � 10” requires a value of at least zero but no more than ten.

OR requires either the condition on its left or the one on its right, possibly both, to be met. “�5 OR �50” excludes numbers from 5 to 50 but allows all others. (Be sure you understand why the expression means this.)

BETWEEN . . . AND . . . means just what you would think. “BETWEEN 0 AND 10” is another way to write the condition that was used as an example for AND.

IS NULL lets you leave a fi eld blank. Some versions of Access won’t let you leave one blank if it has a validation rule, since blank data does not satisfy the rule. If you want to allow the fi eld to be left empty, write “IS NULL OR . . .” where the rest of the rule is whatever you want as validation if anything at all is entered.

If you want to use a date in a condition, enclose it between #s. “� � #1/1/2010#” (without quotation marks) will accept any date in 2010 or later.

Instead of an actual date, you can write “DATE()” to mean today’s date. “�DATE( )” will accept any date in the future. This can be useful, for example, for delivery date estimates. It does not guarantee that the order will arrive then, but it prevents a promise to deliver something last week.

There is more. For example, you could make sure an account number consists of a letter followed by fi ve digits, the last of which is even. Once you understand how validation rules work, you can read up on the rest if you need to.

5. Optionally, but a good practice, enter an error message in the right side of the Validation Text row. Access will display it to the user if the test fails. A few suggestions: • Make messages informative. Use “Quantity must

be greater than zero,” not “Quantity error.” • Do not try to be funny. It is nearly impossible to

do this well. Even a genuinely funny message loses its humor after someone has seen it fi ve times.

• Do not insult the user. (The user might be your boss.)

Figure 7A.1


• Do not end the message with an exclamation point. “Must be from 1 to 5” is fi ne. “Must be from 1 to 5!” is scolding. Nobody likes to be scolded.

If you do not provide a message, Access will display the rule that the data did not satisfy in a standard message format. Some users will be able to fi gure out the problem from this, but many nontechnical people will fi nd it confusing.

6. Test your work by going to Datasheet view, entering sample data values, and confi rming that valid ones are accepted but invalid ones are not. Pick values that provide good tests. Try values at the limits: If a number is supposed to be less than 10, not less than or equal to 10, make sure 10 is rejected.

Usage Hint: Access does not apply validation checks to default values. This can lead to problems when a user changes a default, realizes that the change was in error, and tries to change it back. If there are both a default and a validation rule for the same fi eld, be sure the validation rule allows the default value. That way, you can restore the default value if you change it by mistake.

Checking Values Against a List

Sometimes there is no simple formula to defi ne valid data, but there is a list of valid values. For example, you might require a state code in a U.S. postal address to be one of the 50 + that the U.S. Postal Service recog-nizes, or you might require a department name to be one of those in your company.

The simplest way to handle this is to list them in the rule. The expression “IN (a, b, c, . . .)” does this. This evaluates as True if the entered value is a, b, c, up to as many as you have. (Replace a, b, c and so on with the valid values.) If items are text, put them in quotation marks. A rule to see if a location is one of your fi rm’s offi ces might look like this:

IN (“Boston”, “Paris”, “Sydney”, “Santiago”)

Usage Hint: If you’re in North America, you were taught that commas go inside quotation marks in English writing. That does not apply to Access functions!

Longer lists should be in tables. (This is a fl ex-ible concept that can do more than reduce data entry errors.) To get a pull-down list with all valid values:

1. Create a new table with one fi eld. Give it the same data type as the fi eld whose data you want to validate. Enter all valid data values into this column. Save the table, giving it a suitable name, and close it. You can change it whenever the list of valid data values changes.

2. Open the table that contains the fi eld you want to check against this list. In Design view, select that fi eld. Select its Data Type column, and change its data type to “Lookup Wizard . . .”

3. On the fi rst page of the wizard, tell it you want to look up values in a table or query.

4. On the next page, select the table you just created. 5. On the next page, select the only column this table

has and move it to the right-hand pane by clicking the “]” symbol. Click “Next” a few times until the wizard exits Figure 7A.2.


6. A value list created this way lets the user select values from a pull-down list. It also lets the user enter a value that is not in the list. If you want to prevent that, while this fi eld is still selected, click the Lookup tab in the Field Properties pane. Change “Limit to list” to “Yes” via the down arrow at the right of the row. (If you do not do this now, you can do it later.)

7. Switch to Datasheet view to confi rm that the fi eld behaves correctly.

8. You can click the Database Tools ribbon tab and look at the relationship map. If it does not show the new table, click Show Table and add it to the map. You’ll see a link between the new table and the table that contains the data to be validated against it.

Activity:

1. Download the Ch 07 CustOrder database from the Web site and open it. It has tables for customers, orders, line items, and products. Its structure resembles the example in Section 3.3 of this book. The Ordered Parts table there corresponds to the Line Item table here.

2. Open the Line Item table and specify a default value of 1 for Quantity.

Figure 7A.2


Database Activity 279

3. Open the Customer table and enter a default value of 0 for customer discount. Also, for the same fi eld, add a rule to limit the discount to a range of 0 to 25 percent. (Enter the upper limit as 0.25, not 25. Access can display fractions as percentages, but that is just for display. It treats them as fractions internally and validates them that way.)

4. Add a validation rule to the payment date: It must be no later than today. (The limiting value, today, is allowable.)

5. Create a table CountryList with one column: countries from which you expect orders. Enter ten countries into it, including your home country, the others in the sample data, and seven others of your choice (or six, if your home country is not in the sample data). Link the table to the Country fi eld in the Customer table. The user should be allowed to enter a new country in the Customer table if a customer’s country is not in the list.

Deliverables:

Your completed database, with the above changes.

Quiz Questions:

1. True or False? A person entering data into an Access database can change a default value.

2. In which of the following places can you specify a default value for a data element? 2.1. In a table, in Datasheet view 2.2. In a table, in Design view 2.3. In a report 2.4. In a form

Choose one of the following four answers: ( a) 2.2 (b) 2.2 and 2.4 (c) 2.1 and 2.4 (d) 2.2 and 2.3

3. Which of the following validation rules will allow only dates between July 13 and December 16, 2011 (including both endpoints)? (a) �#7/12/2011# AND �#12/17/2011# (b) BETWEEN #7/13/2011 AND #12/16/2011# (c) � � #7/13/2011# AND � � #12/16/2011# (d) All of the above.

4. If a validation rule has no validation text, which of the following will happen? (a) The rule will not be applied. Any data can be

entered without checking. ( b) The rule will be applied to Number and Date

data, but not to Text data. ( c) The rule will be applied, but the error message

may not be informative. (d) The rule will be applied to new data, but not to

data that someone changes later.

Discussion Questions:

1. How would you write a validation rule that permits a data value to be either 0 or any number from 5 through 10?

2. What is the purpose of Validation Text in an Access table defi nition?

3. How would you write a validation rule that requires a data value to be one of the six letters A, B, C, D, F or I?


management information systems, moving business forward

Documents