This document discusses information system security and computer-related issues. It covers topics like computer waste, crime, privacy and ethical issues. Specific types of computer waste and mistakes are examined, along with policies and procedures to prevent them. Computer crime is explored, including the computer as a tool for crime and as an object of crime. Issues like identity theft, cyberterrorism, and vulnerabilities are summarized. Internal threats from employees are also mentioned.

1. Chapter 9: Information System
Security
Filmon Habtemichael

2. Introduction
♦ Computers have become such valuable tools that today’s
business people have difficulty imagining work without
them.
♦ Yet the information age has also brought the following
potential problems for workers, companies, and society in
general:
• Computer waste and mistakes
• Computer crime
• Privacy issues
• Work environment problems
• Ethical issues

3. Computer Waste
♦ Discard old software and computer systems when
they still have value.
♦ Build and maintain complex systems that are never used to
their fullest extent.
♦ Employees playing computer games, sending unimportant
e-mail, or accessing the Internet.
♦ Junk e-mail, also called spam, and junk faxes cause waste.
– It wastes time and also computer resources.
– Spam messages often carry attached files with embedded viruses
♦ A spam filter is software that attempts to block unwanted
e-mail
– This can be disastrous for people in sales or customer service
– Image-based spam is a new tactic spammers use to circumvent
spam-filtering software

4. PREVENTING COMPUTER-RELATED WASTE AND MISTAKES
♦ Preventing waste and mistakes involves
(1)Establishing,
(2)Implementing,
(3)Monitoring, and
(4)Reviewing effective policies and procedures.

5. Establishing Policies and Procedures
♦ A survey of 304 U.S. companies determined that
over one-fourth of bosses have fired employees for
inappropriate use of e-mail and one-third have fired
workers for wasting valuable time on the Internet.
♦ The first step to prevent computer-related waste is to
establish policies and procedures regarding efficient
acquisition, use, and disposal of systems and devices.
♦ Prevention of computer-related mistakes begins by
identifying the most common types of errors

6. …Establishing policies continued
♦ Types of computer-related mistakes include the following:
– Data-entry or data-capture errors
– Errors in computer programs
– Errors in handling files, including formatting a disk by
mistake, copying an old file over a newer one
– Mishandling of computer output
– Inadequate planning for control of equipment
malfunctions
– Inadequate planning for and control of environmental
difficulties (such as electrical and humidity problems)
– Failure to provide access to the most current
information by not adding new Web links and not
deleting old links

7. Implementing Policies and Procedures
♦ Most companies develop such policies and procedures
with advice from the firm’s internal auditing group or its
external auditing firm.
♦ The policies often focus on the implementation of source
data automation and the use of data editing to ensure data
accuracy and completeness
♦ Some useful policies to minimize waste and mistakes
include the following:
– The system should have controls to prevent invalid and unreasonable data
entry.
– A user manual should be available covering operating procedures

8. Monitoring Policies and Procedures
♦ Many organizations implement internal audits to measure
actual results against established goals, such as
– percentage of end-user reports produced on time,
– percentage of data-input errors detected,
– number of input transactions entered per eight hour shift, &so on.

9. Reviewing Policies and Procedures
♦ Do current policies cover existing practices adequately?
♦ Does the organization plan any new activities in the
future?
♦ Are contingencies and disasters covered?

10. …Reviewing Policies and Procedures
♦ Preventing errors and mistakes is one way to do so.
♦ Another is implementing in-house security measures and
legal protections to detect and prevent a dangerous type of
misuse: computer crime.

11. ♦ Wireless Security Challenges
– radio frequency bands are easy to scan.
– Both Bluetooth and Wi-Fi networks are susceptible to hacking by
eavesdroppers.
– war driving eavesdroppers drive by buildings or park outside and
try to intercept wireless network traffic

12. COMPUTER CRIME
♦ Today, computer criminals are bolder and more creative
than ever. With the increased use of the Internet, computer
crime is now global
♦ The following is a sample of recent computer crimes:

13. …Computer crimes
♦ A Chilean hacker gathered personal data about 6 million
people from various Chilean government sites including
names, addresses, phone numbers, ID numbers, and e-mail
addresses and posted them to a blog site for all to see. The
hacker’s motivation was to protest his country’s weak data
security.
♦ A 15-year-old Pennsylvania student broke into an
educational network and saved on a flash drive the names,
addresses, and Social Security numbers of some 55,000
people. The student was arrested and charged with four
offenses of unlawful duplication and theft.

14. …Computer crimes
♦ When customers initially link their brokerage accounts to
their bank account to allow the transfer of funds, firms
such as E*Trade and Schwab.com use a test procedure to
make micro-deposits of a few cents to a few dollars to the
bank account to ensure that the account numbers and
routing information are correct. A hacker took advantage
of a backdoor to this procedure by opening tens of
thousands of banking accounts with the brokerages and
linked them to fraudulent brokerage accounts to collect the
microdeposits. The hacker stole more than $50,000 over
six months

15. ♦ Part of what makes computer crime so unique and difficult
to combat is its dual nature—the computer can be
both the tool used to commit a crime and the object of that
crime.

16. THE COMPUTER AS A TOOL TO COMMIT CRIME
♦ Many people who commit computer-related crime claim
they do it for the challenge, not for the money.
♦ Criminals need two capabilities to commit most computer
crimes.
– First, the criminal needs to know how to gain access to the
computer system.
– Second, the criminal must know how to manipulate the system to
produce the desired result
♦ Social engineering
– Using social skills to get computer users to provide information to
access an information system or its data.
♦ Dumpster diving
– Going through the trash cans of an organization to find secret or
confidential information, including information needed to access
an information system or its data.

17. Cyberterrorism
♦ Cyber-terrorist: Someone who intimidates or
coerces a government or organization to advance his
political or social objectives by launching computer-based
attacks against computers, networks, and the information
stored on them.
– China, the United States, South Korea, Russia, and Taiwan are
currently the sources of most of the world’s malware
♦

18. …Cyberterrorism
♦ The small Baltic nation of Estonia was subjected to a
cyberterrorism attack for three weeks in 2007 that disabled
government and corporate networks. The attack followed
deadly riots by the nation’s ethnic Russian minority in
response to the relocation of a Soviet war memorial.
Moscow has denied any involvement.
♦ Pro-China cyberterrorists launched a brief denial-of-
service attack on the CNN Web site, which they believe
has been overly critical of China, to protest the news
network’s coverage of Tibet. The attack was cancelled
after less than 30 minutes, but the group threatened to
launch another attack in the near future.

19. Cyberwarfare
♦ Cyberwarfare is a state-sponsored activity designed to
cripple and defeat another state or nation by penetrating its
computers or networks for the purposes of causing damage
and disruption.
– There are 250,000 probes trying to find their way into the U.S.
Department of Defense networks every hour
– Over the years, hackers have stolen plans for missile tracking
systems, satellite navigation devices, surveillance drones, and
leading-edge jet fighters.
– STUXNET

20. …Cyberwarfare
♦ n July 2010, reports surfaced about a Stuxnet worm
that had been targeting Iran’s nuclear facilities
♦ Malicious software had infected the Iranian nuclear
facilities and disrupted the nuclear program by disabling
the facilities' centrifuges. Wiped 1/5th
of it. It delayed Iran 5
years
♦ It is the first visible example of industrial cyberwarfare
♦ TheWindows-based worm had a “dual warhead.”
– One part was designed to lay dormant for long periods, then speed
up Iran’s nuclear centrifuges so that they spun wildly out of
control.
– Another secretly recorded what normal operations at the nuclear
plant looked like and then played those recordings back to plant
operators so it would appear that the centrifuges were operating
normally when they were actually tearing themselves apart.

21. Identity Theft
♦ Identify theft
A crime in which an imposter obtains key pieces of
personal identification information, such as Social Security
or driver’s license numbers, to impersonate someone else.
♦ shoulder surfing—the identity thief simply stands next to
someone at a public office, such as the Bureau of Motor
Vehicles, and watches as the person fills out personal
information on a form

22. THE COMPUTER AS THE OBJECT OF CRIME
♦ A computer can also be the object of the crime, rather than
the tool for committing it.
♦ Vulnerability of a computer increases the risk of
becoming object of crime

23. Internet Vulnerabilities
♦ Computers that are constantly connected to the Internet by
cable modems or digital subscriber line (DSL) lines are
more open to penetration by outsiders because they use
fixed Internet addresses where they can be easily
identified.
– With dial-up service, a temporary Internet address is assigned for
each session.
– A fixed Internet address creates a fixed target for hackers.
♦ Most Voice over IP (VoIP) traffic over the public Internet
is not encrypted, so anyone with a network can listen in on
conversations
♦ Vulnerability has also increased from widespread use of e-
mail, instant messaging (IM), and peer-to-peer file-sharing
programs.

24. INTERNAL THREATS: EMPLOYEES
♦ We tend to think the security threats to a business originate
outside the organization. In fact, company insiders pose
serious security problems.
♦ Studies have found that user lack of knowledge is the
single greatest cause of network security breaches
♦ Malicious intruders seeking system access sometimes trick
employees
♦ Social engineering Tricking people into revealing their
passwords by pretending to be legitimate users or members
of a company in need of information

25. …THE COMPUTER AS THE OBJECT OF CRIME
♦ These crimes fall into several categories:
– illegal access and use,
– Data alteration and destruction,
– Information and equipment theft,
– Software and Internet piracy,
– Computer-related scams, and
– international computer crime.

26. Illegal Access and Use
♦ Hacker- A person who enjoys computer technology and
spends time learning and using computer systems.
♦ Criminal hacker (cracker)- A computer-savvy person who
attempts to gain unauthorized or illegal access to computer
systems to steal passwords, corrupt files and programs, or
even transfer money
♦ Script bunny- A cracker with little technical savvy who
downloads programs called scripts, which automate the job
of breaking into computers.

27. ♦ Insider : An employee, dissatisfied or otherwise, working
solo or in concert with outsiders to compromise corporate
systems
♦ Cyber vandalism- Intentional disruption, defacement, or
destruction of a Web site or corporate information system.
♦ Ransomware: Cybercriminals extort money from victims
by locking their devices remotely or by obtaining
embarrassing photos, documents, and other material that
can be dangled for a price.
♦ Rogues / Scareware (Rogue Anti Virus) pretend to be
security software. Often, fake warnings are used to make
you purchase the security software, which the pirates profit
from.

28. …Illegal Access and Use
♦ Some criminals have started phony VoIP phone companies
and sold subscriptions for services to unsuspecting
customers.
♦ Catching and convicting criminal hackers remains a
difficult task.

29. MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN
HORSES, AND SPYWARE
♦ Malicious software programs are referred to as malware
and include a variety of threats, such as computer viruses,
worms, and Trojan horses
♦ As many as one of every 10 downloads from the Web
includes harmful programs
♦ The amount of harmful software in the world passed the
amount of beneficial software in 2007
♦ The security firm McAfee found nearly 13,000 different
kinds of malware targeting mobile devices in 2012, with
almost all attacks targeting devices using Google’s
Android operating system.

30. ♦ Virus- A computer program file capable of attaching to
disks or other files and replicating itself repeatedly,
typically without the user’s knowledge or permission
♦ Worm- A parasitic computer program that can create
copies of itself on the infected computer or send copies to
other computers via a network.
– Worms are parasitic computer programs that replicate but, unlike
viruses, do not infect other computer program files.
♦ Trojan horse- A malicious program that disguises itself as
a useful application or game and purposefully does
something the user does not expect
– E.g. MMarketPay- Trojan for Android phones.
– It has been detected in multiple app stores and has spread to more
than 100,000 devices.

31. ♦ Trojans are not viruses because they do not replicate, but
they can be just as destructive.
♦ A logic bomb is a type of Trojan horse that executes when
specific conditions occur
♦ A rootkit is a set of programs that enable its user to gain
administrator level access to a computer or network.
♦ A variant is a modified version of a virus that is produced
by the virus’s author or another person who amends the
original virus code.
– if the changes are significant, the variant might go undetected
by antivirus software.
♦ SQL injection attack Attacks against a Web site that take
advantage of vulnerabilities in poorly coded SQL
applications in order to introduce malicious program code

32. Spoofing
♦ Spoofing is tricking or deceiving computer systems or
other computer users by hiding one's identity or faking the
identity of another user on the Internet
– One increasingly popular tactic is a form of spoofing is phishing.
– In a more targeted form of phishing called spear phishing,
messages appear to come from a trusted source, such as an
individual within the recipient's own company or a friend.
– Phishing techniques called evil twins and pharming are harder to
detect.
– Evil twins- Wireless networks that pretend to be legitimate to
entice participants to log on and reveal passwords or credit card
numbers
– Pharming- Phishing technique that redirects users to a bogus Web
page, even when an individual enters the correct Web page
address.

33. Sniffing
♦ Sniffing- Type of eavesdropping program that monitors
information traveling over a network
– When used legitimately, sniffers help identify potential network
trouble spots or criminal activity on networks

34. Click fraud
♦ click fraud is falsely clicking on an online ad in pay
per click advertising to generate an improper charge per
click.
♦ It occurs when an individual or computer program
fraudulently clicks on an online ad without any intention
of learning more about the advertiser or making a
purchase.
♦ Click fraud has become a serious problem at
Google and other similar Web sites
♦ Some companies hire third parties (typically from low-
wage countries) to fraudulently click
♦ Click fraud can also be carried out with software programs
doing the clicking, and botnets are often used for this
purpose.

35. Using Antivirus Programs
♦ Some of the most highly rated antivirus software for 2015
include
– Bitdefender Antivirus Plus
– Kaspersky Anti-Virus
– McAfee AntiVirus Plus
– Norton Security
– Trend Micro Antivirus+ Security
– Avira Antivirus pro
– BullGuard Antivirus
– Escan Antivirus
– Zone Alarm Antivirus
– G-Data Antivirus
– Avast Pro Antivirus
– AVG AntiVirus
– Malwarebytes Anti-Exploit
– Webroot SecureAnywhere Antivirus
– Emsisoft Anti-Malware
– F-Secure Anti-Virus
– Panda Antivirus Pro
– ESET NOD32 Antivirus

36. ♦ Future antivirus programs might incorporate “nature-based
models” that check for unusual or unfamiliar computer
code.
♦ The advantage of this type of antivirus program is the
ability to detect new viruses that are not part of an
antivirus database.

37. ♦ Hoax, or false, viruses are another problem.
♦ Criminal hackers sometimes warn the public
of a new and devastating virus that doesn’t exist to create
fear
♦ Companies sometimes spend hundreds of hours warning
employees and taking preventive action against a
nonexistent virus.

38. ♦ Spyware
Software that is installed on a personal computer to
intercept or take partial control over the user’s
interaction with the computer without knowledge or
permission of the user.
♦ Key loggers are forms of spyware which record every
keystroke made on a computer to
– steal serial numbers for software,
– to launch Internet attacks,
– to gain access to e-mail accounts,
– to obtain passwords to protected computer systems, or
– to pick up personal information such as credit card numbers.

39. Examples of Computer crime

40. Information and Equipment Theft
♦ Password sniffer- A small program hidden in a network or
a computer system that records identification numbers and
passwords.

41. ….Information and Equipment Theft
To fight computer crime, many companies use devices that
disable the disk drive or lock the computer to the desk

42. Safe Disposal of Personal Computers
♦ Donation of personal computers no longer needed
♦ Sell at a deep discount to employees or auction.
♦ However, care must be taken to ensure that all traces of
any personal or company confidential data is completely
removed.
♦ Simply deleting files and emptying the Recycle Bin does
not make it impossible for determined individuals to view
the data.
♦ Be sure to use disk-wiping software utilities that overwrite
all sectors of your disk making all data unrecoverable.
♦ Darik’s Boot and Nuke (DBAN) is free and can be
downloaded from the SourceForge Web site.

43. Patent and Copyright Violations
♦ Software piracy- The act of unauthorized copying or
distribution of copyrighted software
– It involves the copying, downloading, sharing, selling, or installing
of multiple copies onto personal or work computers
♦ When you purchase software, you are purchasing a license
to use it; you do not own the actual software.

44. Computer-Related Scams
♦ Scam: works by sending customers an e-mail including a
link that seems to direct users to their bank’s Web site.
♦ At the site, they are greeted with a pop-up box asking them
for their full debit card numbers, their personal
identification numbers, and their credit card expiration
dates.
♦ The problem is that the Web site customers are directed to
is a fake site operated by someone trying to gain access to
their private information. As discussed previously, this
form of scam is called phishing.

45. Using Intrusion Detection Software
♦ Intrusion detection system (IDS)
Software that monitors system and network resources and
notifies network security personnel when it senses a
possible intrusion.
♦ Examples of suspicious activities include
– repeated failed logon attempts,
– attempts to download a program to a server, and
– access to a system at unusual hours

46. Security Dashboard
♦ Security dashboard is software that provides a
comprehensive display on a single computer screen of all
the vital data related to an organization’s security defenses
including threats, exposures, policy compliance and
incident alerts
♦ The goal is to reduce the effort required for monitoring and
to identify threats earlier.
♦ Data comes from a variety of sources including firewalls,
applications, servers, and other software and hardware
devices

47. Internet Libel Concerns
♦ A publisher, such as a newspaper, can be sued for libel,
which involves publishing an intentionally false written
statement that is damaging to a person’s reputation
♦ Geolocation tools match the user’s IP address with outside
information to determine the actual geographic location of
the online user where the customer’s computer signal
enters the Internet.
♦ But there are differences which you need to understand
when the false statements are made on-line.
♦

48. …Internet Libel concerns
♦ Defamation: An unprivileged false statement of fact
which tends to harm the reputation of a person or
company. This is a catch-all term for both libel and
slander.
♦ Libel: Defamation which is written such as on a web site.
Most on-line defamation occurs through libel by posting a
web page, comment, bulletin board post, review, rating or
blog post.
♦ Slander: Defamation that is spoken such as through an
transcribed video, podcast or audio file

49. THE ROLE OF AUDITING
♦ An MIS audit examines the firm’s overall security
environment as well as controls governing individual
information systems.

50. MIS Audit

51. Business value of security and control
♦ Information assets, such as confidential employee records,
trade secrets, or business plans, lose much of their value if
they are revealed to outsiders or if they expose the firm to
legal liability.
♦ New laws require companies to practice stringent
electronic records management and adhere to strict
standards for security, privacy, and control.
♦ Legal actions requiring electronic evidence
and computer forensics also require firms to pay more
attention to security and electronic records
management.

52. Framework for security and control
♦ Firms need to establish a good set of both general and
application controls for their information
systems.
♦ Risk assessment evaluates information assets, identifies
control points and control weaknesses, and determines the
most cost-effective set of controls
♦ Firms must also develop a coherent corporate security
policy and plans for continuing business operations in the
event of disaster or disruption.
♦ Comprehensive and systematic MIS auditing helps
organizations determine the effectiveness of security and
controls for their information systems.

53. Tools and technologies for security
♦ Passwords, tokens, smart cards, and biometric
authentication are used to authenticate system users
♦ Anti Virus, Anti spyware
♦ Encryption
♦ Digital certificates(an electronic document used to prove
ownership of a public key)
♦ Companies can use fault-tolerant computer systems or
create high-availability computing environments to make
sure that their information systems are always available.
♦ Use of software metrics and rigorous software testing help
improve software quality and reliability