Chat with us, powered by LiveChat Two questions need help with. Read Chapter 12 Unit VIII Journal Questions 1 Instructions I | Office Paper
+1(978)310-4246 credencewriters@gmail.com
  

Two questions need help with.

Read Chapter 12

Unit VIII Journal

Questions 1

Instructions

Identify a skill or knowledge that you learned in this course, and explain how you can apply it to increase success in your career in a real-world scenario.

Your journal entry must be at least 200 words in length. No references or citations are necessary.

Questions 2

Unit VIII Essay

Instructions

In this final assignment, you will develop a paper that reviews some of the main topics covered in the course. Compose an essay to address the following:

Identify the components of an information system using the five-component framework and provide a brief summary of each.

Explain Porter’s five forces model.

Management information systems incorporate software and hardware technologies to provide useful information for decision-making. Explain each of the following information systems and use at least one example in each to support your discussion:

A collaboration information system.

A database management system.

A content management system.

A knowledge management/expert system.

A customer relationship management system.

An enterprise resource planning system.

A social media information system.

A business intelligence/decision support system.

An enterprise information system.

Identify and discuss one technical and one human safeguard to protect against IS security threats.

There are several processes that can be used to develop information systems and applications such as SDLC and SCRUM (Agile Development). Provide a brief description of SDLC and SCRUM and then discuss at least one similarity and one difference between SDLC and SCRUM.

Sum up your paper by discussing the importance of MIS.

Your paper must be at least three pages long, and you must use at least two resources. Be sure to cite all sources used in APA format and format your essay in APA style.

Lesson 10

Information Systems Security

Lesson Preview

 

This lesson provides an overview of the major components of information systems security. We begin in Q10-1 by defining the goals of IS security and then, in Q10-2, discuss the size of the computer security problem. Next, in Q10-3, we address how you, both as a student today and as a business professional in the future, should respond to security threats. Then, in Q10-4, we ask what organizations need to do to respond to security threats. After that, Q10-5 through Q10-7 address security safeguards. Q10-5 discusses technical safeguards that involve hardware and software components, Q10-6 addresses data safeguards, and Q10-7 discusses human safeguards that involve procedure and people components. Q10-8 then summarizes what organizations need to do when they experience a security incident, and we wrap up the lesson with a preview of IS security in 2031.

Unfortunately, threats to data and information systems are increasing and becoming more complex. In fact, the U.S. Bureau of Labor Statistics estimates that demand for security specialists will increase by more than 32 percent between 2018 and 2028 with a median salary of $99,730. This is strong growth considering computer occupations are projected to grow at 13 percent and all occupations at 5 percent.1 If you find this topic attractive, majoring in information systems with a security specialty would open the door to many interesting jobs.


Q10-1 What Is the Goal of Information Systems Security?

 

Information systems security is really about trade-offs. In one sense, it’s a trade-off between security and freedom. For example, organizations can increase the security of their information systems by taking away users’ freedom to choose their own passwords and force them to choose stronger passwords that are difficult for hackers to crack.

Another way to look at information systems security, and the primary focus of this lesson, is that it’s a trade-off between cost and risk. To understand the nature of this trade-off, we begin with a description of the security threat/loss scenario and then discuss the sources of security threats. Following that, we’ll state the goal of information systems security.

The IS Security Threat/Loss Scenario

 

Figure 10-1 illustrates the major elements of the security problem that individuals and organizations confront today. A threat is a person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner’s permission and often without the owner’s knowledge. A vulnerability is an opportunity for threats to gain access to individual or organizational assets. For example, when you buy something online, you provide your credit card data; when that data is transmitted over the Internet, it is vulnerable to threats. A safeguard is some measure that individuals or organizations take to block the threat from obtaining the asset. Notice in Figure 10-1 that safeguards are not always effective; some threats achieve their goal despite safeguards. Finally, the target is the asset that is desired by the threat.

 Figure 10-1: Threat/Loss Scenario
Figure 10-2 shows examples of threats/targets, vulnerabilities, safeguards, and results. In the first two rows, a hacker (the threat) wants your bank login credentials (the target) to access your bank account. If you click on links in emails, you can be directed to phishing sites that look identical to your bank’s website. Phishing sites don’t typically use https. If, as shown in the first row of Figure 10-2, you always access your bank’s site using https rather than http (discussed in Q10-5), you will be using an effective safeguard, and you will successfully counter the threat.

Figure 10-2: Examples of Threat/Loss

Threat/Target

Vulnerability

Safeguard

Result

Explanation

Hacker wants to steal your bank login credentials

Hacker creates a phishing site nearly identical to your online banking site

Only access sites using https

No loss

Effective safeguard

None

Loss of login credentials

Ineffective safeguard

Employee posts sensitive data to public Facebook group

Public access to not-secure group

Passwords Procedures Employee training

Loss of sensitive data

Ineffective safeguard

If, however, as described in the second row of Figure 10-2, you access what appears to be your bank’s site without using https (i.e., an unsecured site), you have no safeguard at all. Your login credentials can be quickly recorded and resold to other criminals.

The bottom row of Figure 10-2 shows another situation. Here an employee at work obtains sensitive data and posts it on what he thinks is a work-only Facebook group. However, the employee errs and instead posts it to a public group. The target is the sensitive data, and the vulnerability is public access to the group. In this case, there are several safeguards that should have prevented this loss; the employee needed passwords to obtain the sensitive data and to join the private, work-only group. The employer has procedures that state employees are not to post confidential data to any public site, such as Facebook, but these procedures were either unknown or ignored. A third safeguard is the training that all employees are given. Because the employee ignores the procedures, though, all of those safeguards are ineffective and the data is exposed to the public.

What Are the Sources of Threats?

 

Figure 10-3 summarizes the sources of security threats. The type of threat is shown in the columns, and the type of loss is shown in the rows.

Figure 10-3: Security Problems and Sources

Threat

Human Error

Computer Crime

Natural Disasters

Loss

Unauthorized Data Disclosure

Procedural mistakes

Pretexting
Phishing
Spoofing
Sniffing
Hacking

Disclosure during recovery

Incorrect Data Modification

Procedural mistakes
Incorrect procedures
Ineffective accounting controls
System errors

Hacking

Incorrect data recovery

Faulty Service

Procedural mistakes
Development and installation errors

Usurpation

Service improperly restored

Denial of Service (DoS)

Accidents

DoS attacks

Service interruption

Loss of Infrastructure

Accidents

Theft
Terrorist activity

Property loss

Human Error
Human errors and mistakes include accidental problems caused by both employees and nonemployees. An example is an employee who misunderstands operating procedures and accidentally deletes customer records. Another example is an employee who, in the course of backing up a database, inadvertently installs an old database on top of the current one. This category also includes poorly written application programs and poorly designed procedures. Finally, human errors and mistakes include physical accidents, such as driving a forklift through the wall of a computer room.

Computer Crime
The second threat type is computer crime. This threat type includes employees and former employees who intentionally destroy data or other system components. It also includes hackers who break into a system and virus and worm writers who infect computer systems. Computer crime also includes terrorists and those who break into a system to steal for financial gain.

Natural Events and Disasters
Natural events and disasters are the third type of security threat. This category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem.

What Types of Security Loss Exist?

 

Five types of security loss exist: unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure. Consider each.

Unauthorized Data Disclosure
Unauthorized data disclosure occurs when a threat obtains data that is supposed to be protected. It can occur by human error when someone inadvertently releases data in violation of policy. An example at a university is a department administrator who posts student names, identification numbers, and grades in a public place, when the releasing of names and grades violates state and federal law. Another example is employees who unknowingly or carelessly release proprietary data to competitors or to the media. WikiLeaks is a famous example of unauthorized disclosure; the situation described in the third row of Figure 10-2 is another example.

The popularity and efficacy of search engines have created another source of inadvertent disclosure. Employees who place restricted data on websites that can be reached by search engines might mistakenly publish proprietary or restricted data over the Web.

Of course, proprietary and personal data can also be released and obtained maliciously. Pretexting occurs when someone deceives by pretending to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers: “I’m checking your Mastercard number; it begins with 5491. Can you verify the rest of the number?” Thousands of Mastercard numbers start with 5491; the caller is attempting to steal a valid number.

Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social Security numbers, account passwords, and so forth.

Spoofing is another term for someone pretending to be someone else. If you pretend to be your professor, you are spoofing your professor. IP spoofing occurs when an intruder uses another site’s IP address to masquerade as that other site. Email spoofing is a synonym for phishing.

Sniffing is a technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required: Wardrivers simply take computers with wireless connections through an area and search for unprotected wireless networks. They use packet sniffers, which are programs that capture network traffic to monitor and intercept traffic on unsecured wireless (or wired) networks. Even protected wireless networks are vulnerable, as you will learn. Spyware and adware are two other sniffing techniques discussed later in this lesson.

Other forms of computer crime include hacking, which is breaking into computers, servers, or networks to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data.

Finally, people might inadvertently disclose data during recovery from a natural disaster. During a recovery, everyone is so focused on restoring system capability that they might ignore normal security safeguards. A request such as “I need a copy of the customer database backup” will receive far less scrutiny during disaster recovery than at other times.

Incorrect Data Modification
The second type of security loss in Figure 10-3 is incorrect data modification. Examples include incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus. Other examples include placing incorrect information, such as incorrect price changes, on a company’s website or company portal.

Incorrect data modification can occur through human error when employees follow procedures incorrectly or when procedures have been designed incorrectly. For proper internal control on systems that process financial data or control inventories of assets, such as products and equipment, companies should ensure separation of duties and authorities and have multiple checks and balances in place.

A final type of incorrect data modification caused by human error includes system errors. An example is the lost-update problem discussed in Lesson 5.

Computer criminals can make unauthorized data modifications by hacking into a computer system. For example, hackers could hack into a system and transfer people’s account balances or place orders to ship goods to unauthorized locations and customers.

Finally, faulty recovery actions after a disaster can result in incorrect data changes. The faulty actions can be unintentional or malicious.

Faulty Service
The third type of security loss, faulty service, includes problems that result because of incorrect system operation. Faulty service could include incorrect data modification, as just described. It also could include systems that work incorrectly by sending the wrong goods to a customer or the ordered goods to the wrong customer, inaccurately billing customers, or sending the wrong information to employees. Humans can inadvertently cause faulty service by making procedural mistakes. System developers can write programs incorrectly or make errors during the installation of hardware, software programs, and data.

Usurpation occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal and manipulate data, or achieve other purposes. Faulty service can also result when service is improperly restored during recovery from natural disasters.

Denial of Service
Human error in following procedures or a lack of procedures can result in denial of service (DoS), the fourth type of loss. For example, humans can inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. An OLAP application that uses the operational DBMS can consume so many DBMS resources that order-entry transactions cannot get through.

Computer criminals can launch an intentional denial-of-service attack in which a malicious hacker floods a Web server, for example, with millions of bogus service requests that so occupy the server that it cannot service legitimate requests. Also, computer worms can infiltrate a network with so much artificial traffic that legitimate traffic cannot get through. Finally, natural disasters may cause systems to fail, resulting in denial of service.

Loss of Infrastructure
Many times, human accidents cause loss of infrastructure, the last loss type. Examples are a bulldozer cutting a conduit of fiber-optic cables and a floor buffer crashing into a rack of Web servers.

Theft and terrorist events also cause loss of infrastructure. For instance, a disgruntled, terminated employee might walk off with corporate data servers, routers, or other crucial equipment. Terrorist events also can cause the loss of physical plants and equipment.

Natural disasters present the largest risk for infrastructure loss. A fire, flood, earthquake, or similar event can destroy data centers and all they contain.

You may be wondering why Figure 10-3 does not include terms such as viruses, worms, and Trojan horses. The answer is that viruses, worms, and Trojan horses are techniques for causing some of the problems in the figure. They can cause a denial-of-service attack, or they can be used to cause malicious, unauthorized data access or data loss.

Finally, a new threat term has come into recent use. An Advanced Persistent Threat (APT) is a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments. APTs can be a means to engage in cyberwarfare and cyber-espionage.

An example of an APT is a group called APT41 (Double Dragon), which is allegedly a covert, financially motivated, state-sponsored hacking group based out of China. In 2020, security researchers at FireEye released a detailed report describing APT41’s tools, tactics, and procedures.2 More specifically, it showed how APT41 is targeting healthcare and technology companies. Before 2015 the hacking group was focused on stealing intellectual property (source code). But since 2017 the group has focused on hacking supply chains, cryptocurrency manipulation, intelligence gathering, and injecting malware into legitimate software updates sent to consumers. If you work in the military or for intelligence agencies, you will certainly be concerned, if not involved, with APTs. We return to this topic in Q10-9.


Goal of Information Systems Security

 

As shown in Figure 10-1, threats can be stopped, or if not stopped, the costs of loss can be reduced by creating appropriate safeguards. Safeguards are, however, expensive to create and maintain. They also reduce work efficiency by making common tasks more difficult, adding additional labor expense. The goal of information security is to find an appropriate trade-off between the risk of loss and the cost of implementing safeguards.

Business professionals need to consider that trade-off carefully. In your personal life, you should certainly employ antivirus software. You should probably implement other safeguards that you’ll learn about in Q10-3. Some safeguards, such as deleting browser cookies, will make using your computer more difficult. Are such safeguards worth it? You need to assess the risks and benefits for yourself.

Similar comments pertain to organizations, though they need to go about it more systematically. The bottom line is not to let the future unfold without careful analysis and action as indicated by that analysis. Get in front of the security problem by making the appropriate trade-off for your life and your business.


Knowledge Check

Q10-2 How Big Is the Computer Security Problem?

 

We do not know the full extent of the financial and data losses due to computer security threats. Certainly, the losses due to human error are enormous, but few organizations compute those losses, and even fewer publish them. However, a 2019 security report by Risk Based Security reported the loss of 15 billion personal records in a record 7,000 security incidents.3 Some of the more notable data breaches include the loss of user accounts at Sina Weibo (538 million), OxyData (380 million), Zynga (218 million), and Capital One (100 million). And that’s not even counting the loss of more than 137 million financial records from Canva or the loss of 161 million Dubsmash accounts. More than 84 percent of user records stolen were taken by external attackers via Web vulnerabilities (89 percent) or direct hacking (10 percent). Keep in mind that these are only the companies that made the news and voluntarily reported their losses.

Losses due to natural disasters are also enormous and nearly impossible to compute. The 2011 earthquake in Japan, for example, shut down Japanese manufacturing, and losses rippled through the supply chain from the Far East to Europe and the United States. One can only imagine the enormous expense for Japanese companies as they restored their information systems.

Furthermore, no one knows the cost of computer crime. For one, there are no standards for tallying crime costs. Does the cost of a denial-of-service attack include lost employee time, lost revenue, or long-term revenue losses due to lost customers? Or if an employee loses a $2,000 laptop, does the cost include the value of the data that was on it? Does it include the cost of the time of replacing it and reinstalling software? Or if someone steals next year’s financial plan, how is the cost of the value that competitors glean determined?

Protecting data from internal hackers is an important issue, as discussed in the Ethics Guide.

Second, all the studies on the cost of computer crime are based on surveys. Different respondents interpret terms differently, some organizations don’t report all their losses, and some won’t report computer crime losses at all. Absent standard definitions and a more accurate way of gathering crime data, we cannot rely on the accuracy of any particular estimate. The most we can do is look for trends by comparing year-to-year data, assuming the same methodology is used by the various types of survey respondents.

Figure 10-4 shows the results of a survey performed by Accenture plc, a multinational professional services company, and the Ponemon Institute. It shows the percentage of companies experiencing the most common types of attacks. It appears the most common attack type was malware (98 percent).5 Unfortunately, this type of attack doesn’t seem to be decreasing anytime soon. Other types of attacks are also fairly stable over time, except for ransomware, which has increased dramatically. Figure 10-5 shows that the costs for these attacks are all increasing over time.

 Figure 10-4: Percentage of Companies Experiencing Attack by Attack Type

Source: Based on Accenture, The Cost of Cyber Crime Study, March 2019.

 Figure 10-5: Computer Crime Costs

Source: Based on Accenture, The Cost of Cyber Crime Study, March 2019.

In addition to this data, Accenture also surveyed losses by type of asset compromised. It found that information loss was the single most expensive consequence of computer crime averaging $5.9M in losses annually per firm in 2018. Business disruption was the second highest cost, at $4.0M. Equipment losses and damages were only $0.5M of the lost value. Clearly, value lies in data and not in hardware!

Accenture also reported that 60 percent of internal costs related to cybercrime come from discovery (36 percent) and containment (24 percent). The next most costly activities were investigation (22 percent) and recovery (18 percent).

The 2019 Cost of Computer Crime Study includes an in-depth analysis of the effect of different security policies on the savings in computer crime. The bottom line is that organizations that spend more to create the safeguards discussed in Q10-4 through Q10-7 (later in this lesson) experience less computer crime and suffer smaller losses when they do. Security safeguards do work!

If you search for the phrase computer crime statistics on the Web, you will find numerous similar studies. Some are based on dubious sampling techniques and seem to be written to promote a particular safeguard product or point of view. Be aware of such bias as you read.

Using the Accenture study, the bottom line, as of 2019, is:

· Ransomware and malicious insider attacks are increasingly serious security threats.

· Information loss and business disruption are principal costs of computer crime.

· Discovery and containment account for over half of the internal costs related to cyber intrusions.

· Security safeguards work.


Q10-3 How Should You Respond to Security Threats?

 

As stated at the end of Q10-1, your personal IS security goal should be to find an effective trade-off between the risk of loss and the cost of safeguards. However, few individuals take security as seriously as they should, and most fail to implement even low-cost safeguards.

Figure 10-6 lists recommended personal security safeguards. The first safeguard is to take security seriously. You cannot see the attempts that are being made, right now, to compromise your computer. However, they are there.

Figure 10-6: Personal Security Safeguards

· Take security seriously

· Create strong passwords

· Use multiple passwords

· Send no valuable data via email or IM

· Use https at trusted, reputable vendors

· Remove high-value assets from computers

· Clear browsing history, temporary files, and cookies (CCleaner or equivalent)

· Regularly update antivirus software

· Demonstrate security concern to your fellow workers

· Follow organizational security directives and guidelines

· Consider security for all business initiatives

Unfortunately, the first sign you receive that your security has been compromised will be bogus charges on your credit card or messages from friends complaining about the disgusting email they just received from your email account. Computer security professionals run intrusion detection systems to detect attacks. An intrusion detection system (IDS) is a computer program that senses when another computer is attempting to scan or access a computer or network. IDS logs can record thousands of attempts each day. If these attempts come from outside the country, there is nothing you can do about them except use reasonable safeguards.

If you decide to take computer security seriously, the single most important safeguard you can implement is to create and use strong passwords. We discussed ways of doing this in Lesson 1. To summarize, do not use any word, in any language, as part of your password. Use passwords with a mixture of upper- and lowercase letters and numbers and special characters.

Such nonword passwords are still vulnerable to a brute force attack in which the password cracker tries every possible combination of characters. A brute force attack can crack a six-character password of either upper- or lowercase letters in a couple minutes. However, a brute force attack of a six-character password having a mixture of upper- and lowercase letters, numbers, and special characters can take hours. A 10-digit password of only upper- and lowercase letters can take years to crack, but one using a mix of letters, numbers, and special characters may require hundreds of years. A 12-digit, letter-only password may require thousands of years, and a 12-digit mixed password may take millions of years. All of these estimates assume, of course, that the password contains no word in any language. The bottom line is this: Use long passwords with no words, 12 or more characters, and a mix of letters, numbers, and special characters.

In addition to using long, complex passwords, you should also use different passwords for different sites. That way, if one of your passwords is compromised, you do not lose control of all of your accounts. Attackers use credential stuffing, or the automated injection of stolen usernames and passwords, to gain access to multiple websites. Credential stuffing is becoming very common because of password reuse, or the use of login information to access multiple sites.

Make sure you use very strong passwords for important sites (like your bank’s site), and do not reuse those passwords on less important sites (like your social networking sites). Some sites are focused on innovating products and may not allocate the same amount of resources to protect your information. Guard your information with a password it deserves.

Never send passwords, credit card data, or any other valuable data in email or IM. As stated numerous times in this text, most email and IM is not protected by encryption (see Q10-5), and you should assume that anything you write in email or IM could find its way to the front page of The New York Times tomorrow.

Buy only from reputable online vendors using a secure https connection. If the vendor does not support https in its transactions (look for https:// in the address line of your browser), do not buy from that vendor.

You can reduce your vulnerability to loss by removing high-value assets from your computers. Now, and especially later as a business professional, make it your practice not to travel out of your office with a laptop or other device that contains any data that you do not need. In general, store proprietary data on servers or removable devices that do not travel with you. (Microsoft 365, by the way, uses https to transfer data to and from SharePoint. You can use it or a similar application for processing documents from public locations such as airports while you are traveling.)

Your browser automatically stores a history of your browsing activities and temporary files that contain sensitive data about where you’ve visited, what you’ve purchased, what your account names and passwords are, and so forth. It also stores cookies, which are small files that your browser receives when you visit websites. The cookie might contain data such as the date you last visited, whether you are currently signed in, or something else about your interaction with that site. Cookies enable you to access websites without having to sign in every time, and they speed up processing of some sites.

A third-party cookie is a cookie created by a site other than the one you visited. Such cookies are generated in several ways, but the most common occurs when a Web page includes content from multiple sources. For example, Amazon designs its pages so that one or more sections contain ads provided by the ad-servicing company DoubleClick. When the browser constructs your Amazon page, it contacts DoubleClick to obtain the content for such sections (in this case, ads). When it responds with the content, DoubleClick instructs your browser to store a DoubleClick cookie. That cookie is a third-party cookie. In general, third-party cookies do not contain the name or any value that identifies a particular user. Instead, they include the IP address to which the content was delivered.

On its own servers, when it creates the cookie, DoubleClick records that data in a log, and if you click on the ad, it will add the fact of that click to the log. This logging is repeated every time DoubleClick shows an ad. Cookies have an expiration date, but that date is set by the cookie creator, and they can last many years. So, over time, DoubleClick and any other third-party cookie owner will have a history of what they’ve shown, what ads have been clicked, and the intervals between interactions.

But the opportunity …

error: Content is protected !!