CHAPTER 8  Software problems

(programming errors,
SYSTEM
installation errors,
VULNERABILITY AND
unauthorized changes)
ABUSE
 Disasters
Security:  Use of
networks/computers
Policies, procedures and outside of firm’s
technical measures used to control
prevent unauthorized access,  Loss and theft of
alteration, theft, or physical portable devices
damage to information
systems. CONTEMPORARY
SECURITY
Controls: CHALLENGES AND
Methods, policies, and VULNERABILITIES
organizational procedures that
ensure safety of
organization’s assets;
accuracy and reliability of its
accounting records; and
operational adherence to
management standards.

Why systems are vulnerable

 Accessibility of
networks
 Hardware problems
(breakdowns,
configuration errors,
damage from
improper use or crime)
The architecture of a Web- Wireless security challenges
based application typically
includes a Web client, a  Radio frequency
server, and corporate bands easy to scan
information systems linked to  SSIDs (service set
databases. Each of these identifiers)
components presents security  Identify access
challenges and vulnerabilities. points
Floods, fires, power failures,  Broadcast
and other electrical problems multiple times
can cause disruptions at any  War driving:
point in the network. Eavesdroppers
drive by
Internet vulnerabilities buildings and
try to detect
 Network open to
SSID and gain
anyone
access to
 Size of Internet means network and
abuses can have wide resources
impact
 WEP (Wired
 Use of fixed Internet Equivalent Privacy)
addresses with cable  Security
or DSL modems standard for
creates fixed targets 802.11; use is
hackers optional
 Unencrypted VOIP  Uses shared
 E-mail, P2P, IM password for
* Interception both users and
*Attachments with access point
malicious software  Users often fail
*Transmitting trade to implement
secrets WEP or
stronger
systems
 SYSTEM  Trojan horses:
VULNERABILITY AND Software program that
ABUSE appears to be benign
but then does
something other than
expected.
 SQL injection attacks:
Hackers submit data to
Web forms that
exploits site’s
unprotected software
and sends rogue SQL
query to database.
Many Wi-Fi networks can be  Spyware: Small
penetrated easily by intruders programs install
using sniffer programs to themselves
obtain an address to access surreptitiously on
the resources of a network computers to monitor
without authorization. user Web surfing
activity and serve up
Malware (malicious advertising.
software)  Key loggers: Record
every keystroke on
 Viruses: Rogue
computer to steal
software program that
serial numbers,
attaches itself to other
passwords, launch
software programs or
Internet attacks.
data files in order to
be executed Hackers and computer
 Worms: Independent crime
computer programs
that copy themselves  Hackers vs. crackers
from one computer to  Activities include
other computers over a  System
network. intrusion
  System Denial-of-service attacks
damage (DoS)
 Cybervandalis
m • Flooding server with
 Intentional thousands of false requests to
disruption, crash the network.
defacement, Distributed denial-of-service
destruction of attacks (DDoS)
Web site or
corporate • Use of numerous computers
information to launch a DoS
system
• Botnets
Spoofing
 Networks of “zombie”
• Misrepresenting oneself by PCs infiltrated by bot
using fake e-mail addresses or malware
masquerading as someone  Worldwide, 6 - 24
else million computers
serve as zombie PCs
• Redirecting Web link to in thousands of
address different from botnets
intended one, with site
masquerading as intended Computer crime
destination
• Defined as “any violations
Sniffer of criminal law that involve a
knowledge of computer
• Eavesdropping program that technology for their
monitors information perpetration, investigation, or
traveling over network prosecution”
• Enables hackers to steal • Computer may be target of
proprietary information such crime, e.g.:
as e-mail, company files, etc.
 Breaching
confidentiality of
 protected Click fraud: Occurs when
computerized data individual or computer
 Accessing a computer program fraudulently clicks
system without on online ad without any
authority intention of learning more
about the advertiser or
• Computer may be making a purchase.
instrument of crime, e.g.:
Cyberterrorism and
 Theft of trade secrets Cyberwarfare
 Using e-mail for
threats or harassment Software vulnerability

Identity theft: Theft of • Commercial software

personal Information (social contains flaws that create
security id, driver’s license or security vulnerabilities
credit card numbers) to
impersonate someone else.  Hidden bugs (program
code defects): Zero
Phishing: Setting up fake defects cannot be
Web sites or sending e-mail achieved because
messages that look like complete testing is not
legitimate businesses to ask possible with large
users for confidential personal programs
data.
• Flaws can open networks to
Evil twins: Wireless networks intruders
that pretend to offer
trustworthy Wi-Fi • Patches
connections to the Internet.  Vendors release small
Pharming: Redirects users to pieces of software to
a bogus Web page, even when repair flaws
individual types correct Web  However exploits
page address into his or her often created faster
browser. than patches be
 released and confidentiality of customer
implemented data.

BUSINESS VALUE OF Sarbanes-Oxley Act:

SECURITY AND Imposes responsibility on
CONTROL companies and their
management to safeguard the
• Failed computer systems can accuracy and integrity of
lead to significant or total loss financial information that is
of business function used internally and released
• Firms now more vulnerable externally.
than ever Electronic evidence
 Confidential personal • Evidence for white collar
and financial data crimes often in digital form
 Trade secrets, new
products, strategies • Data on computers, e-mail,
instant messages, e-commerce
• A security breach may cut transactions
into firm’s market value
almost immediately • Proper control of data can
save time and money when
• Inadequate security and responding to legal discovery
controls also bring forth request
issues of liability
Computer forensics:
• Legal and regulatory
requirements for electronic • Scientific collection,
records management and examination, authentication,
privacy protection preservation, and analysis of
data from computer storage
HIPAA: Medical security and media for use as evidence in
privacy rules and procedures. court of law
Gramm-Leach-Bliley Act: • Includes recovery of
Requires financial institutions ambient and hidden data
to ensure the security and
Information systems  Implementation
controls controls
 Administrative
• Manual and automated
controls
controls
Application controls
• General and application
controls • Specific controls unique to
each computerized
General controls
application, such as payroll or
• Govern design, security, and order processing
use of computer programs and
• Include both automated and
security of data files in
manual procedures
general throughout
organization’s information • Ensure that only authorized
technology infrastructure. data are completely and
accurately processed by that
• Apply to all computerized
application
applications
• Include:
• Combination of hardware,
software, and manual o Input controls
procedures to create overall o Processing controls
control environment. o Output controls

ESTABLISHING A Risk assessment: Determines

FRAMEWORK FOR level of risk to firm if specific
SECURITY AND activity or process is not
CONTROL properly controlled

Types of general controls Types of threat

 Software controls • Probability of occurrence

 Hardware controls during year
 Computer operations
• Potential losses, value of
controls
threat
 Data security controls
• Expected annual loss • Identity management
systems
Security policy
o Captures access rules
• Ranks information risks, for different levels of
identifies acceptable security users
goals, and identifies
mechanisms for achieving SECURITY PROFILES
these goals FOR A PERSONNEL
SYSTEM
• Drives other policies

o Acceptable use policy

(AUP): Defines
acceptable uses of
firm’s information
resources and
computing equipment
o Authorization policies:
Determine differing
These two examples represent
levels of user access to
two security profiles or data
information assets.
security patterns that might be
Identity management found in a personnel system.
Depending on the security
• Business processes and tools profile, a user would have
to identify valid users of certain restrictions on access
system and control access to various systems, locations,
o Identifies and or data in an organization.
authorizes different
categories of users
o Specifies which
portion of system
users can access
o Authenticating users
and protects identities
ESTABLISHING A • May even simulate disaster
FRAMEWORK FOR to test response of technology,
SECURITY AND IS staff, other employees.
CONTROL
• Lists and ranks all control
• Disaster recovery planning: weaknesses and estimates
Devises plans for restoration probability of their occurrence.
of disrupted services
• Assesses financial and
• Business continuity organizational impact of each
planning: Focuses on threat
restoring business operations
after disaster SAMPLE AUDITOR’S
LIST OF CONTROL
o Both types of plans WEAKNESSES
needed to identify
firm’s most critical
systems
o Business impact
analysis to determine
impact of an outage
o Management must
determine which
systems restored first

MIS audit

• Examines firm’s overall

security environment as well
as controls governing
individual information
systems This chart is a sample page
from a list of control
• Reviews technologies,
weaknesses that an auditor
procedures, documentation,
might find in a loan system in
training, and personnel.
a local commercial bank. This
form helps auditors record o Static packet filtering
and evaluate control o Network address
weaknesses and shows the translation (NAT)
results of discussing those o Application proxy
weaknesses with management, filtering
as well as any corrective
actions taken by management. A CORPORATE
FIREWALL
Technologies and Tools for
Protecting Information
Resources

Identity management
software

• Automates keeping track of

all users and privileges

• Authenticates users,
protecting identities,
controlling access

Authentication

 Password systems
 Tokens The firewall is placed
 Smart cards between the firm’s private
 Biometric network and the public
authentication Internet or another distrusted
network to protect against
Firewall: unauthorized traffic.
• Combination of hardware
and software that prevents
unauthorized users from Intrusion detection systems:
accessing private networks

• Technologies include:
• Monitor hot spots on o Continually changing
corporate networks to detect keys
and deter intruders o Encrypted
authentication system
• Examines events as they are with central server
happening to discover attacks
in progress Encryption:

Antivirus and antispyware • Transforming text or data

software: into cipher text that cannot be
read by unintended recipients
• Checks computers for
presence of malware and can • Two methods for encryption
often eliminate it as well on networks

• Require continual updating o Secure Sockets Layer

(SSL) and successor
Unified threat management Transport Layer
(UTM) systems Security (TLS)
Securing wireless networks o Secure Hypertext
Transfer Protocol (S-
• WEP security can provide HTTP)
some security by
Two methods of encryption
o Assigning unique
name to network’s Symmetric key encryption:
SSID and not Sender and receiver use single,
broadcasting SSID shared key
o Using it with VPN Public key encryption
technology
• Uses two, mathematically
• Wi-Fi Alliance finalized related keys: Public key and
WAP2 specification, private key
replacing WEP with stronger
standards • Sender encrypts message
with recipient’s public key
• Recipient decrypts with • CA verifies user’s identity,
private key stores information in CA
server, which generates
PUBLIC KEY encrypted digital certificate
ENCRYPTION containing owner ID
information and copy of
owner’s public key
A public key encryption
system can be viewed as a Public key infrastructure
series of public and private (PKI)
keys that lock data when they • Use of public key
are transmitted and unlock the cryptography working with
data when they are received. certificate authority
The sender locates the
recipient’s public key in a • Widely used in e-commerce
directory and uses it to
encrypt a message. The DIGITAL CERTIFICATES
message is sent in encrypted
form over the Internet or a
private network. When the
encrypted message arrives,
the recipient uses his or her
private key to decrypt the data
and read the message.

Digital certificate:

• Data file used to establish

the identity of users and
electronic assets for
protection of online
transactions

• Uses a trusted third party, Digital certificates help

certification authority (CA), establish the identity of
to validate a user’s identity people or electronic assets.
They protect online pinpoint and correct of faults
transactions by providing in multi-component systems
secure, encrypted, online
communication. Controlling network traffic

Ensuring system availability: • Deep packet inspection (DPI)

Online transaction processing • Video and music blocking
requires 100% availability, no
downtime Security outsourcing:
Managed security service
Fault-tolerant computer providers (MSSPs)
systems
Security in the cloud
• For continuous availability,
e.g. stock markets • Responsibility for security
resides with company owning
• Contain redundant hardware, the data
software, and power supply
components that create an • Firms must ensure providers
environment that provides provides adequate protection
continuous, uninterrupted
• Service level agreements
service
(SLAs)
High-availability computing
Securing mobile platforms
• Helps recover quickly from
• Security policies should
crash
include and cover any special
• Minimizes, does not requirements for mobile
eliminate downtime devices

Recovery-oriented • E.g. updating smart phones

computing with latest security patches,
etc.
• Designing systems that
recover quickly with
capabilities to help operators
Ensuring software quality
• Software metrics:
Objective assessments of
system in form of quantified
measurements

o Number of
transactions
o Online response time
o Payroll checks printed
per hour
o Known bugs per
hundred lines of code

• Early and regular testing

• Walkthrough: Review of
specification or design
document by small group of
qualified people

• Debugging: Process by
which errors are eliminated