Capitol Tech U Doctoral Presentation - April 2024.pptx
The literature and write report on information system security part 1 of 5 parts
1. 2015
Mohamed Raufik Tajuddin
MBA student :Open University Malaysia
5/1/2015
The literature and paper report on information system security: Part 1 of 5 Parts
2. 1
Table of Contents
Executive summary..................................................................................................................2
Introduction..............................................................................................................................3
1.1 information system security..............................................................................................4
1.2 DDoS....................................................................................................................................5
1.2.1 Flood attacks............................................................................................................7
1.2.2 Logic or software attacks ...........................................................................................8
1.3.1 Managing Airport Resources.....................................................................................9
1.3.2 Smart Airport Automation System...........................................................................9
Conclusion ..............................................................................................................................10
References...............................................................................................................................11
3. 2
Executive summary
Information systems need to be secure if they are to be reliable. Since many businesses are
critically reliant on their information systems for key business processes (e.g. websites,
production scheduling, transaction processing), security can be seen to be a very important area
for management to get right. However there are other parties that is cashing in into this situation
where they will hack into computers and servers and passing on threats into the system, which
then cause system breakdown and results in business failure.
One of the threats is Distributed denial-of-service (DDoS). On the 10th of October, Narita and
Chubu airports in the east of the country, were both subject to DDoS attacks on their websites
by the hacktivist group Anonymous, as part of its campaign against dolphin hunting, a practice
that, though controversial, is still legal in Japan. (The Japan Times, Oct 29, 2015). A smart
airport automation system gathers and reinterprets a wide variety of aircraft and airport related
data and information around unattended or non-towered airports. Data is gathered from many
different types of sources, and in otherwise incompatible data formats.
Cyber threats to the aviation industry, and specifically the computers controlling aircraft, have
been highlighted by security consultants and at various hacking conferences. Many of the
popular case studies are driven by the curiosity of white hat hackers.
Therefore, acknowledge good practises, buildup threat intelligence, regulatory frameworks,
education and real time monitoring, and accepting cyber security as a whole, may overcome
information security systems failure.
4. 3
Introduction
Information systems need to be secure if they are to be reliable. Since many businesses are
critically reliant on their information systems for key business processes (e.g. websites,
production scheduling, transaction processing), security can be seen to be a very important area
for management to get right.
However there are other parties that is cashing in into this situation where they will hack into
computers and servers and passing on threats into the system, which then cause system
breakdown and results in business failure.
One of the threats is Distributed denial-of-service (DDoS). On the 10th of October, Narita and
Chubu airports in the east of the country, were both subject to DDoS attacks on their websites
by the hacktivist group Anonymous, as part of its campaign against dolphin hunting, a practice
that, though controversial, is still legal in Japan. (The Japan Times, Oct 29, 2015).
DDoS, a denial-of-service attack is characterized by an explicit attempt by attackers to prevent
legitimate users of a service from using that service. There are two general forms of DDoS
attacks: those that crash services and those that flood services. A DDoS attack floods a network
with traffic, rendering the network useless to its intended users. The attack will either force the
target networks to reset or consume its resources so that it is unable to provide its intended
service.
Crackers will plan his attack during peak traffic to make the impact harsher. While private
information was not stolen, the attacks still posed a security threat and inconvenience for
customers and the organisation.
5. 4
1.1 information system security
According to the UK Government, Information security is:
"the practice of ensuring information is only read, heard, changed, broadcast and otherwise
used by people who have the right to do so" (Source: UK Online for Business)
Information systems need to be secure if they are to be reliable. Since many businesses are
critically reliant on their information systems for key business processes (e.g. websites,
production scheduling, transaction processing), security can be seen to be a very important area
for management to get right.
Security and disaster training is identified as the top IT required skill that needs to be taught in
IS curriculums (Kim, Hsu, & Stern, 2006). Accordingly, information security and privacy have
become core concepts in information system education (Hentea, Dhillon, & Dhillon, 2006;
Kroenke, 2012; Laudon & Laudon, 2010). Instructors have several approaches to teach security
and privacy concepts. One can take a more traditional lecture based approach or a more hands-
on approach that utilizes labs, case studies, etc. (Gregg, 2008).
Most of the prominent security case studies focus on how businesses deal with data breaches
or privacy issues. For example, McNulty (2007) discusses the impact of a data breach on
customers in a retail electronics setting. The case deals with issues of the best way to
communicate the breach with customers and, overall, forces the participants to consider
disaster response strategy before a disaster occurs. Similarly, Haggerty and Chandrasekhar
(2008) highlight the events leading to and the fallout due to a data breach at TJX. These cases
highlight the issues of enormous amount of data that retailers generate and the onus on firms
to protect the sensitive information. Eisenmann’s (2009) case addresses the severity of growing
dependence on technology in the medical industry.
The case setting is a hospital (medical industry) where the access to medical records is denied,
putting numerous lives at risk. As the hackers try to extort money, the case raises ethical and
legal questions and forces participants to make tough decisions. Coutu (2007) raises ethical
questions about the growing issue of lack of privacy in the networked world. The case addresses
whether the information found on Internet about a person can become a burden in advancing
the person’s careers. Ethical and privacy questions related to confidentiality of data and data
reuse in business settings are also raised (Davenport & Harris, 2007; Fusaro, 2004; Schenberger
6. 5
& Mark, 2001). Davenport and Harris (2007) present a case that deals with the issue of data
reuse. It is a common practice for businesses to share customer data with the businesses’
affiliates.
The case in question asks at what stage is the sharing of information detrimental to customers?
In a similar vein, Fusaro’s (2004) case asks at what stage do the data collected for customization
cross the boundary and become invasion of privacy? DoubleClick’s profiling issues and breach
of privacy are also well known (Schenberger & Mark, 2001). Complaints filed with the Federal
Trade Commission had a severe impact on the shares of DoubleClick and led to the
development of privacy policies (Schenberger & Mark, 2001).
Therefore, in my opinion information system security is very crusher if we want to welcome
the internet evolution in the business industry. Information systems increase business
productivity and we are also may be facing with big data technology. Hence information system
security is so important in our future business going forward. However there are other parties
that is cashing in into this situation where they will hack into computers and servers and passing
on threats into the system, which then cause system breakdown and results in business failure.
One of the threats is Distributed denial-of-service (DDoS).
1.2 DDoS
Battling distributed denial-of-service (DDoS) and malware attacks is part of everyday business
for all organisations; and so is defending against newer cyber threats. DDoS attacks bombards
a network or website with traffic (i.e., requests for service) to crash it and leave it vulnerable
to other threats.
7. 6
Figure 1.0 : DDoS FLOW CHART
Referring to Fig 1.0: DDoS Flow Chart, showing the flow from running client program -
handler – compromised – internet – targeted servers.
8. 7
The most serious attacks are distributed and in many or most cases involve forging of IP sender
addresses (IP address spoofing) so that the location of the attacking machines cannot easily be
identified, nor can filtering be done based on the source address.
1.2.1 Flood attacks
A remote system is overwhelmed by a continuous flood of traffic designed to consume
resources at the targeted server (CPU cycles and memory) and/or in the network (bandwidth
and packet buffers)2. These attacks result in degraded service or a complete site shutdown.
1.2.1.1 TCP SYN Flood Attack: Taking advantage of the flaw of TCP three-way handshaking
behaviour, an attacker makes connection requests aimed at the victim server with packets with
unreachable source addresses. The server is not able to complete the connection requests and,
as a result, the victim wastes all of its network resources. A relatively small flood of bogus
packets will tie up memory, CPU, and applications, resulting in shutting down a server.
1.2.1.2 Smurf IP Attack: An attacker sends forged ICMP echo packets to broadcast
addresses of vulnerable networks. All the systems on these networks reply to the victim with
ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively
denying its services to legitimate users.
1.2.1.3 UDP Flood Attack: UDP is a connectionless protocol and it does not require any
connection setup procedure to transfer data. A UDP Flood Attack is possible when an
attacker sends a UDP packet to a random port on the victim system. When the victim system
receives a UDP packet, it will determine what application is waiting on the destination port.
When it realizes that there is no application that is waiting on the port, it will generate an
ICMP packet of destination unreachable to the forged source address. If enough UDP packets
are delivered to ports on victim, the system will go down.
1.2.1.4 ICMP Flood Attack: An ICMP attack can come in many forms. There are 2 basic
kinds, Floods and Nukes. An ICMP flood is usually accomplished by broadcasting either a
bunch of pings (Not IRC pings, ICMP pings. Similar purpose, but handled differently) or
UDP packets (which are used in software like PointCast). The idea is, to send so much data to
your system, that it slows you down so much that you're disconnected from IRC due to a ping
timeout. Nukes exploit bugs in certain Operating systems, Like Windows 95, and Windows
9. 8
NT. The idea is to send a packet of information that the OS can't handle. Usually, they cause
your system to lock up.
1.2.2 Logic or software attacks
A small number of malformed packets are designed to exploit known software bugs on the
target system. These attacks are relatively easy to counter either through the installation of
software patches that eliminate the vulnerabilities or by adding specialized firewall rules to
filter out malformed packets before they reach the target system.
1.2.2.1 Ping of Death: An attacker sends an ICMP ECHO request packet that is much larger
than the maximum IP packet size to victim. Since the received ICMP echo request packet is
bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may
be crashed or rebooted as a result.
1.2.2.2 Teardrop: An attacker sends two fragments that cannot be reassembled properly by
manipulating the offset value of packet and cause reboot or halt of victim system. Many other
variants such as targa, SYNdrop, Boink, Nestea Bonk, TearDrop2 and NewTear are available.
1.2.2.3 Land: An attacker sends a forged packet with the same source and destination IP
address. The victim system will be confused and crashed or rebooted
1.2.2.4 Echo/Chargen: The character generator (chargen) service is designed to simply
generate a stream of characters. It is primarily used for testing purposes. Remote users/intruders
can abuse this service by exhausting system resources. Spoofed network sessions that appear
to come from that local system's echo service can be pointed at the chargen service to form a
"loop." This session will cause huge amounts of data to be passed in an endless loop that causes
heavy load to the system. When this spoofed session is pointed at a remote system's echo
service, this denial of service attack will cause heavy network traffic/overhead that
considerably slows your network down. It should be noted that an attacker does not need to be
on your subnet to perform this attack as he/she can forge the source addresses to these services
with relative ease.
10. 9
1.3.1 Managing Airport Resources
1.3.1.1 The airport operator should also ensure that the necessary communications
infrastructure is provided, and that all necessary systems and procedures can be installed and
operated. It is essential that information exchange between all airport users is coordinated and
agreed upon, taking into account the technological solutions and standards best suited to each
particular situation, and in accordance with international standards.
1.3.1.2 The goal of the automation system is to make airports as intelligent as possible.
Centralized in this concern means that automatic control is done by a single controller or
control station. AS has two levels of architecture, the two level architecture consists of a control
network level and a common backbone network which together form the automation network
(AN). The control network is connecting the field devices. It has small bandwidth in the order
of a few K bit/s. The management devices cannot be connected through this control network,
control sub networks and management devices are connected via a high-bandwidth backbone
network and this network is used to connect AS and foreign networks (e.g. Internet).
1.3.2 Smart Airport Automation System
A smart airport automation system gathers and reinterprets a wide variety of aircraft and airport
related data and information around unattended or non-towered airports. Data is gathered from
many different types of sources, and in otherwise incompatible data formats. The smart airport
automation system then decodes, assembles, fuses, and broadcasts structured information, in
real-time, to aircraft pilots. The fused information is also useful to remotely located air traffic
controllers who monitor non-towered airport operations. The system includes a data fusion and
distribution computer that imports aircraft position and velocity, weather, and airport specific
data. The data inputs are used to compute safe takeoff and landing sequences, and other airport
advisory information for participating aircraft.
11. 10
Conclusion
There is no such thing as failsafe security for information systems. It is noted that the majority
of data breaches since 2005 .Therefore, it is important to address this segment so that
appropriate protections are in place.
To this end, Gartner research recommends the use of case studies in educational settings to
improve the security (Lowendahl et al., 2006). The events leading up to the breach and the
subsequent analysis are presented.
When designing security controls, a business needs to address the following factors;
Prevention: What can be done to prevent security accidents, errors and breaches? Physical
security controls (see more detailed revision note) are a key part of prevention techniques, as
are controls designing to ensure the integrity of data (again - see more detailed revision note)
Detection: Spotting when things have gone wrong is crucial; detection needs to be done as soon
as possible - particularly if the information is commercially sensitive. Detection controls are
often combined with prevention controls (e.g. a log of all attempts to achieve unauthorised
access to a network).
Deterrence: deterrence controls are about discouraging potential security breaches. Data
recovery - If something goes wrong (e.g. data is corrupted or hardware breaks down) it is
important to be able to recover lost data and information.
In conclusion, the case demonstrates the security problems and proposes possible solutions in
an educational setting.
12. 11
References
1. "Types of DDoS Attacks". Distributed Denial of Service Attacks(DDoS) Resources,
Pervasive Technology Labs at Indiana University. Advanced Networking
Management Lab (ANML). December 3, 2009. Archived from the original on 2010-
09-14. Retrieved December 11, 2013.
2. Caruso, J. B. (2003). Information technology security: Governance, strategy, and
practice in higher education.ECAR, 1-7.
3. Coutu, D. (2007). We googled you. Harvard Business Review, 2007, 37-42.
4. Davenport, T. H., & Harris, J. G. (2007). The dark side of customer analytics.
Harvard Business Review, May, 37–41.
5. Eisenmann, C. (2009). When hackers turn to blackmail. Harvard Business Review,
October, 39–42.
6. Haggerty, N. R. D., & Chandrasekhar, R. (2008). Security breach at TJX. Ivey
Publishing, 9B08E003.
7. Hentea, M. (2005). A perspective on achieving information security awareness. Issues
in Informing Science and Information Technology, 2, 169-178.