This document summarizes key points from a lecture on information security. It describes the relationships between hackers and viruses, and how information security policies relate to security plans. It also provides examples of three primary security areas: authentication and authorization using passwords, smart cards, or biometrics; prevention and resistance using content filtering, encryption, and firewalls; and detection and response using intrusion detection systems, antivirus software, and unified threat management systems. Vulnerabilities discussed include network accessibility, hardware and software problems, and wireless challenges. Security threats include hackers, malware, spoofing, sniffing, and identity theft. The document emphasizes that people are the biggest security issue and that policies, plans, and technology work together as lines of defense.
2. MAIN POINTS
Describing the relationships and differences between
hackers and viruses
Describing the relationship between information
security policies and an information security plan
Providing an example of each of the three primary
security areas: (1) authentication and authorization,
(2) prevention and resistance, and (3) detection and
response
3. • Why systems are vulnerable
– Accessibility of networks
– Hardware problems (breakdowns, configuration errors,
damage from improper use or crime)
– Software problems (programming errors, installation
errors, unauthorized changes)
– Disasters
– Use of networks/computers outside of firm’s control
– Loss and theft of portable devices
Systems Vulnerability and Abuse
Source: Laudon & Laudon (2016)
4. The architecture of a Web-based application typically includes a Web client, a server, and
corporate information systems linked to databases. Each of these components presents security
challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can
cause disruptions at any point in the network.
Source: Laudon & Laudon (2016)
Security Challenges & Vulnerabilities
5. • Internet vulnerabilities
– Network open to anyone
– Size of Internet means abuses can have wide impact
– Use of fixed Internet addresses …… creates fixed targets
for hackers
– E-mail, IM, ….
• Interception
• Attachments with malicious software
• Transmitting trade secrets
- Wireless security challenges
- Etc…
System Vulnerability and Abuse
Source: Laudon & Laudon (2016)
6. Many Wi-Fi networks
can be penetrated
easily by intruders
using sniffer programs
to obtain an address to
access the resources of
a network without
authorization.
WI-FI Security Challenges
Source: Laudon & Laudon (2016)
7. Protecting Intellectual Assets
• Organizational information is intellectual
capital - it must be protected
• Information security – The protection of
information from accidental or intentional
misuse by persons inside or outside an
organization
• Downtime – Refers to a period of time when a
system is unavailable
8. Security Threats Caused by Hackers and
Malware
• Hacker – Experts in technology who use their
knowledge to break into computers and computer
networks, either for profit / benefit or just motivated
by the challenge
– Black-hat hacker
– White-hat hacker
– Hactivist
– Cracker
– Cyberterrorist
9. Hackers
• White-hat hackers—work at the request of the system owners
to find system vulnerabilities and plug the holes
• Black-hat hackers —break into other people’s computer
systems and may just look around or may steal and destroy
information
• Hactivists—have philosophical and political reasons for
breaking into systems and will often deface the website as a
protest
10. Hackers
• Cracker—a hacker with criminal intent
• Cyberterrorists—seek to cause harm to people or to destroy
critical systems or information and use the Internet as a
weapon of mass destruction
11. – Viruses
• Malicious software program that attaches itself to
other software programs or data files in order to be
executed
– Worms
• Independent programs that copy themselves from one
computer to other computers over a network.
– Worms and viruses spread by
• Downloads (drive-by downloads)
• E-mail, IM attachments
• Downloads on Web sites and social networks
Malware (Malicious Software)
Source: Laudon & Laudon (2016)
12. • Denial-of-service attacks (DoS)
– Flooding server with thousands of false requests to crash
the network
• Distributed denial-of-service attacks (DDoS)
– Use of numerous computers to launch a DoS
Malware (Malicious Software)
Source: Laudon & Laudon (2016)
13. – Trojan horses
• Software that appears harmless but does something
other than expected
– Spyware
• Small programs install themselves in secret/by improper
means on computers to monitor user Web surfing
activities…..
Malware (Malicious Software)
Source: Laudon & Laudon (2016)
15. Security threats ….
• Malicious code includes a variety of threats (eg viruses,
worms, and Trojan horses)
• Spoofing is the forging of the return address on an email so
that the email message appears to come from someone other
than the actual sender. This is not a virus but rather a way by
which virus authors hide their identities as they send out
viruses.
16. Security threats ….
• A sniffer is a program or device that can monitor data traveling
over a network. Sniffers can show all the data being transmitted
over a network, including passwords and sensitive information.
Sniffers tend to be a favorite weapon in the hacker’s arsenal.
17. • Pharming
– Redirects users to a bogus Web page, even when individual
types correct Web page address into his or her browser
• Identity theft
– Theft of personal Information (social security ID, driver’s
license, or credit card numbers) to impersonate someone else
• Phishing
– Sending an e-mail messages that look like from a legitimate
businesses to ask users for confidential personal data and this
may include a link to a fake Web sites
Security threats ….
Source: Laudon & Laudon (2016)
18. The First Line of Defense - People
• Organizations must enable employees, customers, and partners to
access information electronically
• The biggest issue surrounding information security is not a
technical issue, but a people issue
19. The First Line of Defense - People
• The first line of defense an organization should follow
to help combat insider issues is to develop information
security policies and an information security plan
– Information security policies – identify the rules required to
maintain information security
– Information security plan – details how an organization will
implement the information security policies
20. The Second Line of Defense - Technology
• There are three primary information technology security
areas
21. Authentication and Authorization
• Authentication – A method for confirming users’identities
• Authorization – The process of giving someone permission to
do or have something
• The most secure type of authentication involves
1. Something the user knows
2. Something the user has
3. Something that is part of the user
22. Something the User Knows Such As a User ID and
Password
• This is the most common way to identify
individual users and typically contains a
user ID and a password
• This is also the most ineffective form of
authentication
• Over 50 % of help-desk calls are
password related
23. • Smart cards and tokens are more effective
than a user ID and a password
– Tokens – Small electronic devices that
change user passwords automatically
– Smart card – A device that is around the
same size as a credit card, containing
embedded technologies that can store
information and small amounts of software to
perform some limited processing
Something the User has Such As Smart cards and
tokens
24. Something That Is Part Of The User Such As a
Fingerprint or Iris
• This is by far the best and most effective way to
manage authentication
– Biometrics – The identification of a user based on a
physical characteristic, such as a fingerprint, iris,
voice, or handwriting
• Unfortunately, this method can be costly and intrusive
25. Prevention and Resistance
• Downtime can cost an organization anywhere from
$100 to $1 million per hour
• Technologies available to help prevent and build
resistance to attacks include
1. Content filtering
2. Encryption
3. Firewalls
26. Prevention and Resistance
• Content filtering - Prevents emails containing sensitive
information from transmitting and stops spam and viruses
from spreading
27. Prevention and Resistance
• If there is an information security breach and the
information was encrypted, the person stealing the
information would be unable to read it
– Encryption
– Public key encryption (PKE)
28. Prevention and Resistance
Encryption – scrambles information into an alternative form
that requires a key or password to decrypt the information
Public key encryption (PKE) – an encryption system that
uses two keys: a public key for everyone and a private key for
the recipient
29. A public key encryption system can be viewed as a series of public and private keys that lock data
when they are transmitted and unlock the data when they are received. The sender locates the
recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted
form over the Internet or a private network. When the encrypted message arrives, the recipient uses his
or her private key to decrypt the data and read the message.
Public Key Encryption
Source: Laudon & Laudon (2016)
30. Watch this video
• https://www.youtube.com/watch?v=E5FEqGYLL0o
• https://www.youtube.com/watch?v=EJd8zqN3zTw
31. Firewall:
– Combination of hardware and software that prevents
unauthorized users from accessing private networks
Prevention and Resistance
Source: Laudon & Laudon (2016)
32. The firewall is placed between the firm’s private network and the public Internet or another distrusted
network to protect against unauthorized
traffic.
Source: Laudon & Laudon (2016)
A Corporate Firewall
33. Detection and Response
• If prevention and resistance strategies
fail and there is a security breach, an
organization can use detection and
response technologies to mitigate the
damage
34. • Intrusion detection systems:
– Monitors hot spots on corporate networks to detect and
deter intruders
– Examines events as they are happening to discover
attacks in progress
• Antivirus and antispyware software:
– Checks computers for presence of malware and can often
eliminate it as well
– Requires continual updating
• Unified threat management (UTM) systems
Detection and Response
Source: Laudon & Laudon (2016)
36. References
• Baltzan, P. ( 2016) Business Driven Information Systems.
Global Edition, 5th ed McGraw-Hill/NY.
• Laudon K.C. and Laudon J.P. (2016) Management Information
Systems, Managing the Digital Firm, 14th ed. Prentice Hall.
• Laudon K.C. and Laudon J.P. (2020) Management Information
Systems, Managing the Digital Firm, 16th ed. Prentice Hall.