Management Information Systems

IS 300
Summer 2020

Information Security

1
 Learning Objectives
• Identify the factors that contribute to the increasing vulnerability
of information resources and specific examples of each factor.
• Compare and contrast human mistakes and social engineering,
along with specific examples
• Discuss the types of deliberate attacks.
• Describe the three risk mitigation strategies
• Identify the major types of controls that organizations can use to
protect their information resources.

2
 Human Mistakes

The human factor is still the biggest threat to information systems today. For example, in
social engineering a perpetrator uses social skills to trick or manipulate legitimate
employees into providing confidential company information such as passwords. 3
 Why do we need IT security?
• Ongoing data breaches
• Intellectual Property theft
– Billions in lost revenue for corporations including brand reputation
• According to the United States Patent and Trademark Office the most important
corporate asset is intellectual property
– Trade Secret: consist of information and can include a formula, pattern, compilation,
program, device, method, technique or process.
– Trademark: is a word, phrase, symbol, and/or design that identifies and distinguishes
the source of the goods of one party from those of others.
– Patent: is a limited duration property right relating to an invention, granted by the
United States Patent and Trademark Office in exchange for public disclosure of the
invention. An official document that grants the holder exclusive rights on an invention or
a process for a specified period of time.
– Copyright: protects original works of authorship including literary, dramatic, musical,
and artistic works, such as poetry, novels, movies, songs, computer software, and
architecture. A statutory grant that provides the creators or owners of intellectual
property with ownership of the property, also for a designated period. 4
 Five Key Factors Increasing Vulnerability
1. Today’s interconnected, interdependent, wirelessly
networked business environment
2. Smaller, faster, cheaper computers and storage
devices
3. Decreasing skills necessary to be a computer hacker
4. International organized crime taking over
cybercrime
5. Lack of management support

5
 Deliberate Threats to Information Systems
• Espionage or Trespass: occurs when an unauthorized individual attempts to gain
illegal access to organizational information.
• Information Extortion: occurs when an attacker either threatens to steal, or
actually steals, information from a company. The perpetrator demands payment
for not stealing the information, for returning stolen information, or for agreeing
not to disclose the information.
• Sabotage and Vandalism: deliberate acts that involve defacing an organization’s
Web site, potentially damaging the organization’s image and causing its customers
to lose faith.
• Theft of Equipment or Information: Computing devices and storage devices are
becoming smaller yet more powerful with vastly increased storage and as a result
these devices are becoming easier to steal (e.g. dumpster diving).
• Identity Theft: is the deliberate assumption of another person’s identity, usually to
gain access to his or her financial information or to frame him or her for a crime.

6
Deliberate Threats to Information Systems
• Supervisory Control and Data Acquisition Attacks (SCADA):
refers to a large-scale, distributed measurement and control
system. SCADA systems are used to monitor or to control
chemical, physical, and transport processes such as those
used in oil refineries, water and sewage treatment plants,
electrical generators, and nuclear power plants.
• Cyberterrorism and Cyberwarfare: refer to malicious acts in
which attackers use a target’s computer systems, particularly
via the Internet, to cause physical, real-world harm or severe
disruption, often to carry out a political agenda.

7
 Software Attacks
• Viruses: is a program that attaches itself to another computer program with or
without permission of the user
• Worms: Segment of computer code that performs malicious actions and will
replicate, or spread, by itself without requiring another computer program.
• Trojan Horse: Software programs that hide in other computer programs and reveal
their designed behavior only when they are activated.
• Key loggers: record every keystroke made on a computer to steal serial numbers
for software, userids and passwords etc.
• Back Door: Typically a password, known only to the attacker, that allows him or
her to access a computer system at will, without having to go through any security
procedures (also called a trap door).
• Fileless: written directly to RAM wherein code is injected into a running
application process in the background
8
 Software Attacks
• Metamorphic : malicious viruses which can change its base code while
propagating throughout the network or system
• Phishing: Phishing attacks use deception to acquire sensitive personal information
by masquerading as official-looking e-mails or instant messages.
• Spear Phishing: Phishing attacks target large groups of people. In spear phishing
attacks, the perpetrators find out as much information about an individual as
possible to improve their chances that phishing techniques will obtain sensitive,
personal information
• Ransomware: Malicious software designed to block access to a computer system
until a sum of money is paid.
• Logic bomb: A segment of computer code that is embedded within an
organization’s existing computer programs and is designed to activate and perform
a destructive action at a certain time or date.

9
 Alien Software
• Alien Software: clandestine soft ware that is installed on your
computer through duplicitous methods.
– Adware: software that causes pop-up advertisements to appear
on your screen.
– Spyware: soft ware that collects personal information about users
without their consent. Two common types of spyware are
keystroke loggers and screen scrapers.
– Spamware: pestware that uses your computer as a launch pad for
spammers.
– Spam: unsolicited e-mail, usually advertising for products and
services
– Cookies: small amounts of information that Web sites store on
your computer, temporarily or more or less permanently
10
Difficulties in Protecting Information Resources

11
 Risk Management
• Risk: the probability that a threat will impact an information
resource.
• Risk Management: identifies, controls, and minimizes the
impact of threats. In other words, risk management seeks to
reduce risk to acceptable levels.
• Risk Analyses: ensures IS security programs are cost effective.
• Risk Mitigation: the organization takes concrete actions against
risks which has two functions:
– implementing controls to prevent identified threats from occurring
– developing a means of recovery if the threat becomes a reality

12
 Risk Management
The Three Major Processes of Risk Management:
1. risk analysis
a) assessing the value of each asset being protected
b) estimating the probability that each asset will be
compromised
c) comparing the probable costs of the asset’s being
compromised with the costs of protecting that asset
2. risk mitigation
a) Acceptance, identifying limitations, and transference
3. controls evaluation
13
Information Security Controls

14
 Cyber Security Counter Measures
• Antivirus and antimalware systems:
– Checks computers for presence of malware and can often
eliminate it as well
– Requires continual updating
• Intrusion detection systems:
– Monitors hot spots on corporate networks to detect and
deter intruders
– Examines events as they are happening to discover attacks
in progress

15
 Distributed DoS
Distributed Denial-of-Service Attack: An attacker first takes over many computers,
typically by using malicious software. These computers are called zombies or bots.
The attacker uses these bots—which form a botnet—to deliver a coordinated stream
of information requests to a target computer, causing it to crash.

16
 Forensics
• Forensics includes scientific collection, examination,
authentication, preservation, and analysis of data from
computer storage media for use as evidence in court of law
• Companies are now communicating more and more with e-
mail and other forms of electronic transmissions
• Courts allow all forms of communication as evidence.
• Businesses must develop methods of capturing, storing, and
presenting any and all electronic communications including e-
mail, instant messaging, and e-commerce transactions.
• Includes recovery of ambient and hidden data

17
 Forensics
• According to the Digital Forensic Research Conference:
– The use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis,
interpretation, documentation, and presentation of digital evidence
derived from digital sources for the purpose of facilitating or furthering
the reconstruction of events found to be criminal
– Forensic characteristics are of two physical types: class and individual
– It is critical in a forensic examination to retain the system “as-is” to
preserve electronic evidence. Therefore, investigators typically utilize a
mirror or duplication of the computer-based system under review.
– Cyber defense goal: discovery and recovery of ambient and hidden data
• U.S. courts are increasingly turning to digital evidence for prosecution;
however, cybercrime is increasingly being committed outside of the U.S. via
foreign state actors and therefore is difficult to prosecute. 18
 Audit Trails & Categories
• Audit trail: a series of documented facts that help detect who recorded which
transactions, at what time, and under whose approval
– Sometimes automatically created using data and timestamps
• Certain policy and audit trail controls are required in some countries
• Information systems auditor: a person whose job is to find and investigate
fraudulent cases
Three categories of auditing procedures:
1. Auditing Around the Computer: means verifying processing by checking for known
outputs using specific inputs. This approach is most effective for systems with
limited outputs.
2. Auditing Through the Computer: auditors check inputs, outputs, and processing.
They review program logic, and they test the data contained within the system.
3. Auditing With the Computer: means using a combination of client data, auditor
soft ware, and client and auditor hardware. This approach enables the auditor to
perform tasks such as simulating payroll program logic using live data.
19
 Communication Controls
• Firewall: hardware and software that blocks access to computing resources
– The best defense against unauthorized access over the Internet
– Firewalls are now routinely integrated into routers
• Whitelisting: a process in which a company identifies the soft ware that it will
allow to run on its computers and permits acceptable soft ware to run, and it
either prevents any other soft ware from running or lets new soft ware run
only in a quarantined environment until the company can verify its validity.
• Blacklist: includes certain types of software that are not allowed to run in the
company environment.
• DMZ: demilitarized zone approach
– One end of the network is connected to a trusted network zone behind a
firewall and the other end to the Internet via proxy server
20
 Corporate Firewall Architecture

A demilitarized zone or DMZ is a physical or

logical subnet that contains and exposes an
organization's external-facing services to a usually
larger and untrusted network, usually the Internet.
21
 Virtual Private Network (VPN)
• VPNs are private networks delivered through a public
network (e.g. the internet).
• VPNs extend internal local area networks to remote
offices, business partners, clients, and users.
• VPN technology is enabled through advanced point to
point encryption tunneling protocols which establish
secure end-to-end connection.
• There are two types of VPN connections:
– Remote access
• established through a VPN client
– Site-to-site
• Intranets (within organization)
• Extranets (between organizations)
• Users of a VPN rely on the security of the provider’s
network to protect traffic!
22
 VPN Tunneling

PPTP Packet L2TP Packet

Microsoft Corporation, Technical Reference, “What is a VPN”, 2020 23

 How does encryption work?
• Encryption programs scramble the transmitted information
– Plaintext: the original message
– Ciphertext: the encoded message

24
 How does encryption work?
• Two primary methods
– Symmetric (Advanced Encryption Standard)
• Sender and receiver use a singled shared key (128 bits or greater)
– Public or Asymmetric (Rivest-Shamir-Adleman)
• Sender and receiver use two mathematically related keys:
one public and the other totally private

25
 How does encryption work?
• Encryption transforms plain text (original message) into cipher text (an encoded message) which
cannot be read by unintended recipients
– Data is encrypted and decrypted using a numerical code called a key
– The sender transforms the plaintext into cipher text (cipher)
– The message is then decrypted by the receiver (decipher)
• Banking websites utilizes secure Hypertext Transfer Protocol (HTTPS) for encryption and
decryption and this handled through your internet browser by Transport Layer Security (TLS)
• Transport Layer Security-TLS is the successor to Secure Sockets Layer-SSL and enables HTTPS
as a part of a Public Key Infrastructure (PKI).
• Upon connection to a secure website, TLS performs a handshake protocol key between your
client and the server to establish a bi-directional tunnel for communication
• Hybrid cryptosystem: TLS utilizes a combination of asymmetric and symmetric key encryption
– The website’s server sends the visitor’s browser its public key.
– The visitor’s browser then creates a temporary symmetric session key which is
encrypted with the server’s public key.
– The website’s server receives a copy of the encrypted session key.
– The website and server now use the session key to encrypt/decrypt files exchanged files
within that session.
Example Flow: Digital Certificates

27
Example Flow: Digital Certificates

28