Management Information System & Advanced IT Assignment
giggles.desmoin
Ch15ManagementInformationSystems.pdf
LEARNING OUTCOMES
After reading this chapter, you will be able to:
■ understand and assess potential threats to a computer-based information system;
■ propose an overall strategy for ensuring the security of a computer-based information system;
■ identify specific techniques that might be used to protect a computer-based information system against damage or unauthorised access.
MANAGEMENT ISSUES
The concept that information is an important and valuable business asset has been stressed throughout this text. The responsibility for ensuring the security of organisational information systems is one that cannot be taken too lightly. In addition to ensuring that the organisation has uninterrupted access to its information resources, managers must also deal with the threat of outsiders attempting to gain access to those same resources. From a managerial perspec- tive, this chapter addresses the following areas:
■ An understanding of approaches towards information systems security will help managers to develop and implement an overall strategy for security.
■ An understanding of the threats to information systems will help in predicting and anticipating acts such as denial-of-service attacks.
■ Knowledge of specific techniques for protecting information systems will help in the development of effective counter measures.
■ As organisations turn to the Internet for business purposes, it becomes important to understand some of the new threats that must be faced.
CHAPTER AT A GLANCE
MAIN TOPICS
■ The need for controls 540
■ Control strategies 548
■ Types of controls 551
■ Some techniques for controlling information systems 552
■ Threats related to Internet services 562
FOCUS ON . . .
■ Malware 556
CASE STUDIES
15.1 Online cybercrime rings forced to home in on smaller prey 547
15.2 Cybercrime costs US $100bn a year, report says 561
cHAPTER
15 Managing information security
M15_BOCI6455_05_SE_C15.indd 539 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT540
The first section of this chapter discusses the need for controls on information systems, paying particular attention to unauthorised access. Having established some of the threats facing modern computer-based systems, several strategies are introduced for ensuring the integrity of an information system. A brief description of some of the controls that can be placed on information systems is followed by a more detailed examination of two areas of contemporary interest: malicious software and threats to Internet services.
INTRODUCTION
THE NEED FOR CONTROLS
Controls upon information systems are based upon two underlying principles:
■ the need to ensure the accuracy of the data held by the organisation; ■ the need to protect against loss or damage.
Although this chapter is largely concerned with unauthorised access and the physical security of information systems, it should be noted that many of the issues raised are also relevant to the discussion of accuracy and privacy that is provided later (in Chapter 17).
The most common threats faced by organisational information systems can be placed into the following categories:
■ accidents ■ natural disasters ■ sabotage (industrial and individual) ■ vandalism ■ theft ■ unauthorised use (hacking) ■ computer viruses and malware.
The following box charts a number of major incidents that made national or international headlines between 2007 and 2011. As can be seen, there has been a marked increase in threats related to the Internet and organisational intranets.
A number of estimates suggest that 40–65 per cent of all damage caused to information systems or corporate data arises as a result of human error. The DTI’s Information Security Breaches Survey 2006, for example, states that: ‘Human error rather than flawed technology is the root cause of most security breaches.’ Some examples of the ways in which human errors can occur include:
Accidents
Why do we need controls? Some computer-related security incidents reported in the media 2007–12
February 2007 Two Dutch hackers received prison sentences and fines for creating a botnet of up to 1.5 million computers. As well as using the network of hijacked computers to steal confidential information from computer users, they also blackmailed companies by threatening to launch denial-of-service attacks.
M15_BOCI6455_05_SE_C15.indd 540 10/13/14 4:53 PM
541ChaPter 15 MANAGING INFORMATION SEcURITY
September 2007 The New Zealand secret service suggested the Chinese government had launched cyberattacks against the country’s networks and information systems. Other reports alleged that additional cyberattacks had been launched by China against the UK, France, Germany and the United States.
September 2007 Estimates of the size of the botnet created by the Storm Worm launched in January 2007 range from 10 to 50 million computers.
January 2008 A French bank, Société Générale, lost £3.6 billion as a result of the unauthorised activity of a rogue trader. Jerome Kerviel used his knowledge of anti-fraud procedures to circumvent the banks security systems.
August 2008 A senior financial analyst at Countrywide Financial Corp. was arrested for stealing and selling confidential information. The man was said to have downloaded 20,000 customer profiles each week which he sold for around $500. The information was sold to people in the mortgage industry so that they could make approaches to potential customers. Up to 17 million records were compromised.
October 2008 The FBI and other agencies around the world concluded an undercover operation that resulted in 56 arrests worldwide and saved up to $70 million in potential losses. The case involved an electronic forum called ‘Dark Market’ where criminals bought and sold stolen financial information, such as credit card details. At its peak, Dark Market had more than 2,500 members.
April 2009 The Conficker worm infected up to 15 million computers and resulted in estimated losses of $9.1 billion worldwide. The worm continues to infect computers today (see June 2011). Some specific incidents involving Conficker include:
■ In February 2009, an infection at Manchester City Council resulted in losses of approximately £1.5 million. Removing the worm cost an estimated £1.2 million. Other costs involved £169,000 for hiring extra staff to handle backlogs of work and compensation payments because of delays in issuing benefit payments.
■ In May 2009 computer systems at Ealing Council became infected by the worm from a memory stick used by an employee. The incident cost the Council more than £500,000 in repairs and lost revenues.
December 2009 A hacker gained access to 32 million records owned by social game developer, RockYou. The information compromised included log-in information from social networking sites such as Facebook and MySpace.
March 2010 Albert Gonzalez was sentenced to 20 years in prison for stealing more than 90 million credit and debit card numbers from TJX and other retailers.
September 2010 A mobile phone virus, Zombie, begins to infect phones in China. By November 2011, the virus is reported to have infected more than 1 million phones and was costing phone owners $300,000 a day. The problem is made more difficult by the fact that antivirus software is unable to detect Zombie.
➨
M15_BOCI6455_05_SE_C15.indd 541 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT542
■ Inaccurate data entry. As an example, consider a typical relational database management system, where update queries are used to change records, tables and reports. If the contents of the query are incorrect, errors might be produced within all of the data manipulated by the query. Although extreme, significant problems might be caused by adding or removing even a single character to a query.
■ Attempts to carry out tasks beyond the ability of the employee. In smaller computer-based information systems, a common cause of accidental damage involves users attempting to install new hardware items or software applications. In the case of software applications, existing data may be lost when the program is installed or the program may fail to operate as expected.
■ Failure to comply with procedures for the use of organisational information systems. Where organisational procedures are unclear or fail to anticipate potential problems, users may often ignore established methods, act on their own initiative or perform tasks incorrectly.
■ Failure to carry out backup procedures or verify data backups. In addition to carrying out regular backups of important business data, it is also necessary to verify that any backup copies made are accurate and free from errors.
September 2010 HSBC received fines of £3 million from the Financial Services Authority related to incidents involving confidential customer records, such as losing unencrypted data in the post.
November 2010 Five British teenagers, including two girls, went on trial for selling stolen identities and credit card details from a site called Gh0stMarket.net. Losses were estimated at between £12 million and £16 million from the credit card details found on the site. Four members of the group eventually received prison sentences of between 18 months to five years.
May 2011 Lulz Security (LulzSec), a group of hackers, began a ‘50 day cruise’ of incidents, attacking web sites or releasing confidential information taken from a variety of organisations. Victims reportedly included Sony, Nintendo, The Sun newspaper, the US version of the X Factor, the Arizona police department, the Serious Organised Crime Agency (SOCA), AT&T, Fox.com, US broadcaster PBS, the CIA and the United States Senate.
June 2011 A joint operation between the FBI and the Security Service of Ukraine (SBU) closed down a ‘scareware’ ring operating across a number of countries including the US, the Ukraine, the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom. The ring used the Conficker worm to infect computers then frighten the owners into paying for worthless security software. The worm was also used to collect confidential information from infected machines. Estimates suggest that the ring managed to collect at least $72 million before being closed down.
September 2011 Kweku Adoboli, a 31-year-old trader at UBS, was arrested by London police in relation to rogue trading that was estimated to have cost the Swiss bank £1.3 billion.
June 2012 The New York Times publishes an in-depth article stating that Stuxnet, a computer virus aimed at hindering the Iranian nuclear research programme, was created as a cyberweapon by the United States and Israel. It is later alleged that other cyberweapons were created and used by both countries, including programs called Flame and Gauss.
Cyberweapon
computer code intended to cause harm to structures, systems or people.
Update query
Used to change records, tables and reports held in a database management system.
M15_BOCI6455_05_SE_C15.indd 542 10/13/14 4:53 PM
543ChaPter 15 MANAGING INFORMATION SEcURITY
A survey from the Computing Technology Industry Association found that in more than 63 per cent of IT security breaches human error played a role. Technological failures accounted for only 8 per cent of security problems (source: Jupitermedia Corporation).
Complacent staff weak link in combating cyber criminals By Kate Burgess
If your password is ‘password’ or ‘123456’, change it this minute. For even as the civil liberties brigade rails against state snooping and mythologises cyber leakers such as Edward Snowden, cyber crime is bringing down small companies and destroying livelihoods.
At the business end, the victims of cyber crime are piling up. About 90 per cent of all British companies suffered some kind of attack last year, according to the government’s department of business.
It comes in all forms – staff siphoning off cash, competitors filching customer data, contract details or product designs, or gangs (some possibly sponsored by foreign states) infecting software with viruses and worms for financial gain. Web- based crime has cost the UK as much as £27bn this year, according to the National Audit Office. The government reckons that the costs to business have tripled in a year.
The average price paid for the worst breaches by companies with fewer than 250 staff is £35,000- £65,000.
For bigger companies, the average cost is £850,000. But the grief caused to the UK’s smallest and most vulnerable enterprises is more than just financial. The combination of clean-up costs, the threat of fines for failing to protect customer data, the damage to reputation and client losses can prove fatal.
Worryingly, the unscrupulous are now targeting these small enterprises. For the first time, almost as many small companies say they were attacked last year as bigger ones.
It will only get worse, too, given the reach of the internet and the fact that almost everything we do is recorded and stored somewhere on the web. The full extent of the damage may never be known.
Many companies – like the world’s superpowers – are loathe to admit explicitly just how much data they have collected and would be embarrassed to own up to a cyber attack. Governments are working to encourage more disclosure to help to form a united defence. Police forces are wising up, too, setting up specific cyber crime units such as the Europol Cybercrime (yes, really) centre.
Prevention, though, must be the best cure. Nearly all breaches are because hackers have been able to exploit the vulnerability of staff and systems through weak passwords, out-of-date security software and the misuse of social networking sites.
The problem is that few of us, executives of small companies included, think we have much worth stealing. But even corporate minnows should not underestimate their usefulness as a route into the databases of bigger companies with which they are linked, or the importance of innovative small caps as repositories of big, groundbreaking ideas.
Mini case study
➨
M15_BOCI6455_05_SE_C15.indd 543 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT544
The lesson is that the top brass of big and small companies have to spend more on web security. We must also stop moaning about the number of times we are asked to change our passwords and guard against how we pass on corporate tittle tattle. Careless talk may not cost lives, but it certainly costs.
Source: Burgess, K. (2013) Complacent staff weak link in combating cyber criminals. Financial Times. 30 June. © The Financial Times Limited 2012. All Rights Reserved.
Where human lives rely on the proper operation of an information system, this is usually known as a safety-critical system. Perhaps a better way of describing a critical system is to suggest that it is an information system that must not fail. A good example of a critical system is an air traffic control system.
All information systems are susceptible to damage caused by natural phenomena, such as storms, lightning strikes, floods and earthquakes. In Japan and the United States, for example, great care is taken to protect critical information systems from the effects of earthquakes. Although such hazards are of less concern in much of Europe, properly designed systems will make allowances for unexpected natural disasters.
Natural disasters
Safety-critical system
Where human lives rely on the correct operation of a computer-based information system.
With regard to information systems, sabotage may be deliberate or unintentional and carried out on an individual basis or as an act of industrial sabotage.
Individual sabotage
Individual sabotage is typically carried out by a disgruntled employee who wishes to exact some form of revenge upon their employer. The logic bomb (sometimes known as a ‘time bomb’) is a well-known example of how an employee may cause deliberate damage to the organisation’s information systems. A logic bomb is a destructive program that activates at a certain time or in reaction to a specific event. In most cases, the logic bomb is activated some months after the employee has left the organisation. This tends to have the effect of drawing suspicion away from the employee. Another well-known example is known as a back door. The back door is a section of program code that allows a user to circumvent security procedures in order to gain full access to an information system. Although back doors have legitimate uses, such as for program testing, they can also be used as an instrument of sabotage. It should be noted, however, that individual sabotage is becoming more infrequent due to legislation such as the Computer Misuse Act.
Industrial sabotage
Industrial sabotage is considered rare, although there have been a number of well- publicised cases over the past few years. Industrial sabotage tends to be carried out for some kind of competitive or financial gain. The actions of those involved tend to be highly organised, targeted at specific areas of a rival organisation’s activities, and supported by access to a substantial resource base. Industrial sabotage is considered more serious than individual sabotage since, although occurrences are relatively few, the losses suffered tend to be extremely high. A well-known example concerns the legal battle between British Airways and Richard Branson’s Virgin during the 1990s, where it was alleged that BA gained access
Sabotage
Logic bomb
Sometimes also known as a time bomb, a logic bomb is a destructive computer program that activates at a certain time or in reaction to a specific event.
Back door
A section of program code that allows a user to circumvent security procedures in order to gain full access to an information system.
M15_BOCI6455_05_SE_C15.indd 544 10/13/14 4:53 PM
545ChaPter 15 MANAGING INFORMATION SEcURITY
to Virgin’s customer databases and used this information to ‘poach’ Virgin’s customers. More recently, it has been claimed that governments have used their resources to give some companies an advantage in the marketplace. At the turn of the century, for example, it was alleged that both the United States and the United Kingdom were passing commercially sensitive information gathered via the Echelon surveillance network to certain companies.
Unintentional sabotage
An intent to cause loss or damage need not be present for sabotage to occur. Imagine the case of an organisation introducing a new information system at short notice and without proper consultation with staff. Employees may feel threatened by the new system and may wish to avoid making use of it. A typical reaction might be to enter data incorrectly in an attempt to discredit the new system. Alternatively, the employee might continue to carry out tasks manually (or with the older system), claiming that this is a more efficient way of working. In such cases, the employee’s primary motivation is to safeguard their position – the damage or loss caused to the organisation’s information systems is incidental to this goal.
Vandalism
Deliberate damage caused to hardware, software and data is considered a serious threat to information systems security. The threat from vandalism lies in the fact that the organisation is temporarily denied access to some of its resources. Even relatively minor damage to parts of a system can have a significant effect on the organisation as a whole. In a small network system, for example, damage to a server or shared storage device might effectively halt the work of all those connected to the network. In larger systems, a reduced flow of work through one part of the organisation can create bottlenecks, reducing the overall productivity of the entire organisation. Damage or loss of data can have more severe effects since the organisation cannot make use of the data until they have been replaced. The expense involved in replacing damaged or lost data can far exceed any losses arising from damage to hardware or software. As an example, the delays caused by the need to replace hardware or data might result in an organisation’s being unable to compete for new business, harming the overall profitability of the company.
In recent years, vandalism has been extended to the Internet. A number of incidents have occurred where company web sites have been defaced.
Theft
As with vandalism, the loss of important hardware, software or data can have significant effects on an organisation’s effectiveness. Theft can be divided into two basic categories: physical theft and data theft.
Independent insurance broker Bland Bankart plc estimates that the cost of computer and electronic office equipment theft exceeds £50 million each year (Bland Bankart plc). Even the theft of a single piece of hardware can result in significant loss. A survey by Kensington, producers of notebook security equipment, found that the theft of a single notebook computer cost £11,500 when factors such as lost productivity were taken into account.
Physical theft, as the term implies, involves the theft of hardware and software. The DTI’s 2012 ‘Information Security Breaches Survey’ reported that 7 per cent of the worst security incidents suffered by large organisations and 5 per cent of the worst incidents suffered by small organisations involved the physical theft of equipment. It is worth noting that physical theft is not restricted to computer systems alone; components are often targeted by criminals because of their small size and relatively high value.
Data theft normally involves making copies of important files without causing any harm to the originals. However, if the original files are destroyed or damaged, then the value of the copied data is automatically increased. The Ponemon Institute (www.ponemon.org) estimates that the average cost of a “compromised” record is $214.
Data theft
This can involve stealing sensitive information or making unauthorised changes to computer records.
M15_BOCI6455_05_SE_C15.indd 545 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT546
Service organisations are particularly vulnerable to data theft since their activities tend to rely heavily upon access to corporate databases. Imagine a competitor gaining access to a customer list belonging to a sales organisation. The immediate effect of such an event would be to place both organisations on an essentially even footing. However, in the long term, the first organisation would no longer enjoy a competitive edge and might, ultimately, cease to exist. In the United States alone, lost sales due to the theft of technology and business ideas are valued at $100 billion to $250 billion a year.
Both data theft and physical theft can take a number of different forms. As an example, there has been growing concern over the theft of customer information, such as credit card details, from company web sites.
One of the most common security risks in relation to computerised information systems is the danger of unauthorised access to confidential data. Contrary to the popular belief encouraged by the media, the risk of hackers gaining access to a corporate information system is relatively small. Most security breaches involving confidential data can be attributed to the employees of the organisation. In many cases, breaches are accidental in that employees are unaware that particular sets of information are restricted. Deliberate breaches are typically the result of an employee wanting to gain some personal benefit from using the information obtained. A good example concerns the common myth of the police officer using the Police National Computer to check up on a car they wish to buy. In reality, strict guidelines cover the use of the Police National Computer and a log is kept of every enquiry made.
However, we must consider that the threat posed by hackers is starting to increase as more organisations make use of the Internet for business purposes. In addition, it should be noted that even a relatively small number of hacking incidents can account for significant losses to industry. As an example, a survey commissioned by the UK National High Tech Crime Unit (now part of SOCA – Serious Organised Crime Agency) found that 167 companies had lost £195 million to high-tech crime, such as hacking, over a period of twelve months. Furthermore, even a small number of hackers can cause a significant amount of damage. For instance, a single hacker arrested in 2006 was accused of compromising over 150 US government systems, resulting in $1.36 million in losses to NASA and nearly $100,000 in losses for the Energy Department and the Navy.
The term hacker is used for a person who attempts to gain unauthorised access to a computer-based information system, usually via a telecommunications link. However, this is the popular use of this term and is considered incorrect by many IT professionals. Traditionally, ‘hacking’ referred to the process of writing program code, so hackers were nothing more than skilled computer programmers. Even today, many people consider themselves to be ‘hackers’ of the traditional kind and dislike being associated with the stereotype of a computer criminal. Furthermore, many people draw distinctions between those who attempt to gain unauthorised access to computer-based information systems for malicious reasons and those with other motivations. A person who gains access to an information system for malicious reasons is often termed a cracker rather than a hacker. Similarly, many people claim to use hacking for ethical purposes, such as helping companies to identify security flaws or assisting law enforcement agencies in apprehending criminals. These people tend to be referred to as ‘white-hat hackers’ and their counterparts are termed ‘black-hat hackers’. However, for the purposes of this chapter, we will continue to use the term ‘hacker’ in its popular sense.
In general, most people consider hackers to fall into one of four categories:
■ those who wish to demonstrate their computer skills by outwitting the designers of a particular system;
■ those who wish to gain some form of benefit (usually financial) by stealing, altering or deleting confidential information;
Unauthorised use
Hacker
Hackers are often described as individuals who seek to break into systems as a test of their abilities. Few hackers attempt to cause damage to systems they access and few are interested in gaining any sort of financial profit.
Cracker
A person who gains access to an information system for malicious reasons is often termed a cracker rather than a hacker. This is because some people draw a distinction between ‘ethical’ hackers and malicious hackers.
M15_BOCI6455_05_SE_C15.indd 546 10/13/14 4:53 PM
547ChaPter 15 MANAGING INFORMATION SEcURITY
■ those who wish to cause malicious damage to an information system, perhaps as an act of revenge against a former employer;
■ those who wish to make a political statement of some kind.
Understandably, the most common crime committed by hackers involves telecommunications fraud. Clearly, the first task carried out by most hackers is to obtain free access to telecommunications, so that the time-consuming task of breaking into a given system can be carried out without incurring a great deal of expense. However, the growth of digital communications technology means that it is possible to implement countermeasures against hacking.
An excellent example concerns a well-known 1989 case, where a hacker managed to access information systems in more than 35 military bases across the United States. The hacker’s intention was to steal information on the Strategic Defense Initiative (SDI) – the so-called Star Wars project. The hacker was traced on the basis of an anomaly found by Clifford Stoll in telephone records. The unauthorised use of 75 cents of telephone time led to an investigation that lasted more than 18 months. Finally, following a number of failed attempts to trace the hacker via the telecommunications system, he was caught and sentenced to imprisonment.
A fairly recent development in relation to hacking concerns the emergence of hacktivists. Hacktivists are those who deface web sites, carry out denial of service attacks or publish confidential information in order to make a political statement. Although hacktivism has existed for several decades, several recent high profile cases have brought it to the attention of the public. The wars in Iraq and Afghanistan, for instance, saw various groups attempting to promote their views by attacking web sites belonging to the government or other organisations connected to the conflicts in some way. More recently, a great deal of public controversy began when Wikileaks (http://wikileaks.org) began to publish a body of confidential documents considered embarrassing to the United States and other countries.
Hacktivist
Describes a person who uses hacking as a means of making a political statement, usually as a form of protest.
Wall Street’s banks and brokerages came under a sustained cyber attack last Thursday as hackers attempted to bring down online banking and trading operations at 50 top institutions.
Websites were subjected to distributed denial of service (DDoS) attacks to put them out of action, and a ‘malware’ infection was aimed at trading platforms, in a digital offensive dubbed ‘Quantum Dawn 2’.
If this sounds more like a film than reality, that may be because the cyber warfare was part of a simulated exercise to test financial institutions’ ability to withstand global threats.
It came two months after eight members of an international cybercrime ring were indicted for allegedly hacking into the systems of global banks,
stealing customer data, and inflicting $45m of losses on the global banking system.
But, as the multinational banks have increased their efforts to thwart such security breaches, the cyber crimi- nals have been forced to target smaller prey – and these include London’s wealth managers and stockbrokers.
‘We are seeing a trend [for cyber criminals] to target small- er institutions who have higher value customers,’ explains Stephen Bonner, a partner within KPMG’s information protection and businesses resilience team in the UK.
‘Very effective work by large retail banks to protect online retail banking is moving the attacker away to easier targets,’ he warns. ‘We’re seeing them attack smaller institutions that historically didn’t have enough customers to make it worthwhile.’
Online cybercrime rings forced to home in on smaller prey By Vanessa Kortekaas
CASE STUDy 15.1
➨
M15_BOCI6455_05_SE_C15.indd 547 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT548
Mr Bonner says that this ‘displacement’ phenomenon in the cyber security landscape has also pushed the online security to the top of the agenda for UK wealth managers and stockbrokers.
Rathbone Brothers, a wealth manager with about £20bn of funds under management, says it is aware of attempts to hack in to its client data.
‘We’ve got 40,000 clients, and the fraudsters are just becoming more sophisticated,’ says Andy Pomfret, chief executive of Rathbones. ‘You constantly have a few people trying to [hack] in.’
Rathbones has emulated the big banks in putting its systems to the test, by having so-called ‘ethical hackers’ attempt to access its data.
Mr Pomfret says he also encourages his investment managers to talk to their clients as much as possible, to reduce the risk of identity theft. ‘It’s much harder for someone to impersonate a client when you’re actually talking to them,’ he says.
Rathbones is not alone. According to the Association of Private Client Investment Managers and Stockbrokers (Apcims), cyber criminals are targeting the clients of UK brokerages.
In recent months, one Apcims member firm found that online fraudsters had set up a website identical to its own, and urged clients to buy certain shares – in an online version of a ‘boiler-room’ scam.
‘It turned out [the firm’s clients] were buying into a Ponzi type fund, which means you don’t get your money
back,’ explains John Barrass, Apcims’ deputy chief executive.
Although the scam was caught quickly, Mr Barrass says the attack has served as a ‘very big warning sign’ to financial companies about the need to protect themselves against cyber crime.
Many UK companies have increased their spending on methods to combat cyber attacks.
KPMG says the number of wealth managers and brokers that have approached the firm for advice on online security has roughly doubled in the past 18 months.
Charles Stanley, the stockbroker and wealth manager, sends its IT staff for cyber security training at the Chartered Institute of Securities and Investment (CISI). It is one of many seeking to make its staff more aware of the risk.
‘Over the past year or so, I’ve seen much greater attendance from middle ranking firms, from the wealth management side and from the wealth management [business] of the big global banks,’ says George Little john, a senior adviser at the CISI.
KMPG says that wealth managers have one advantage over the large banks in tackling cybercrime: they are ‘closer to their clients’ behaviour’, and therefore more able to detect unusual activity in their accounts.
However, they also bring one disadvantage. ‘With the very high-net-worth individuals, they expect a much more personal touch,’ says Mr Bonner. ‘[They] are less willing to accept some of the inconveniences of higher security.’
Source: Kortekaas, V. (2013) Online cybercrime rings forced to home in on smaller prey. Financial Times. 19 July. © The Financial Times Limited 2012. All Rights Reserved.
Whilst some methods, such as logic bombs, are beginning to decline, others are becoming more common. The release of the ‘virus construction kits’ and ‘virus mutation engines’ places the construction of a new computer virus within the hands of most users. Additionally, whilst methods such as virus scanning provide a degree of protection against virus infection, no completely secure prevention technique has yet been found.
Computer viruses are considered in more detail later on.
Computer viruses
CONTROL STRATEGIES
In the previous section it was shown that there is a need to:
■ control access to information systems; ■ maintain the integrity of the information held within a computer-based information
system;
QUESTION
What is the key approach to combating cybercrime discussed in the case study?
M15_BOCI6455_05_SE_C15.indd 548 10/13/14 4:53 PM
549ChaPter 15 MANAGING INFORMATION SEcURITY
■ implement procedures to ensure the physical security of equipment; ■ safeguard the overall security of an information system.
In this section, strategies for reducing threats to information systems are discussed. In general, there are four major approaches that can be taken to ensure the integrity of an information system. These are containment, deterrence, obfuscation and recovery. Although each strategy is discussed separately, it is important to note that an effective security policy will draw upon a variety of concepts and techniques.
The strategy of containment attempts to control access to an information system. One approach involves making potential targets as unattractive as possible. This can
be achieved in several ways but a common method involves creating the impression that the target information system contains data of little or no value. It would be pointless, for example, attempting to steal data that had been encrypted – the data would effectively be useless to anyone except the owner.
A second technique involves creating an effective series of defences against potential threats. If the expense, time and effort required to gain access to the information system is greater than any benefits derived from gaining access, then intrusion becomes less likely. However, defences must be continually improved and upgraded in order to keep up with advances in technology and the increasing sophistication of hackers. Thus, such an approach tends to be expensive in terms of organisational resources.
A third approach involves removing the target information system from potential threats. Typical ways in which this might be achieved include distributing assets across a large geographical area, distributing important data across the entire organisation or isolating important systems.
Containment
A strategy based upon deterrence uses the threat of punishment to discourage potential intruders. The overall approach is one of anticipating and countering the motives of those most likely to threaten the security of the system.
A common method involves constantly advertising and reinforcing the penalties for unauthorised access. It is not uncommon, for example, to dismiss an employee for gaining access to confidential data. Similarly, it is not uncommon for organisations to bring private prosecutions against those who have caused damage or loss to important information systems. Attempts to breach the security of the information system are discouraged by publicising successful actions against employees or other parties.
A second approach involves attempting to detect potential threats as early as possible, for example by monitoring patterns of information system usage and investigating all anomalies. However, although such a technique can prevent some attacks and reduce the damage caused by others, it can be expensive in terms of organisational resources.
The third technique used commonly involves predicting likely areas of attack and then implementing appropriate defences or countermeasures. If an organisation feels, for example, that it is particularly vulnerable to computer viruses, it might install virus- scanning software across the entire organisation.
Deterrence
M15_BOCI6455_05_SE_C15.indd 549 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT550
Obfuscation concerns itself with hiding or distributing assets so that any damage caused can be limited.
One means by which such a strategy can be implemented is by monitoring all of the organisation’s activities, not just those related to the use of its information systems. This provides a more comprehensive approach to security than containment or deterrence since it also provides a measure of protection against theft and other threats.
A second method involves carrying out regular audits of data, hardware, software and security measures. In this way, the organisation has a more complete overview of its information systems and can assess threats more accurately. A regular software audit, for example, might result in a reduction in the use of illegal software. In turn, this might reduce the number of virus infections suffered by the organisation, avoid potential litigation with software companies and detect illegal or unauthorised use of programs and data.
The dispersal of assets across several locations can be used to discourage potential intruders and can also limit the damage caused by a successful attack. The use of other techniques, such as backup procedures, can be used to reduce any threats further.
Obfuscation
Audit
The process of monitoring an organisation’s hardware and software resources. In general, audits are used as a deterrent against theft and the use of illegal software.
A strategy based upon recovery recognises that, no matter how well defended, a breach in the security of an information system will eventually occur. Such a strategy is largely concerned with ensuring that the normal operation of the information system is restored as quickly as possible, with as little disruption to the organisation as possible.
The most important aspect of a strategy based upon recovery involves careful organisational planning. The development of emergency procedures that deal with a number of contingencies is essential if a successful recovery is to take place. The process of developing and maintaining these procedures is often called business continuity planning (sometimes also called disaster recovery).
In anticipating damage or loss, a great deal of emphasis is placed upon backup procedures and recovery measures. In large organisations, a backup site might be created, so that data processing can be switched to a secondary site immediately in the event of an emergency. Smaller organisations might make use of other measures, such as RAID facilities or data warehousing services (Chapter 4).
As cloud computing becomes more popular, many individuals and organisations have seen this as an ideal way of ensuring business continuity. Several copies of important data may be distributed across the cloud and even software applications can be accessed anywhere there is an Internet connection. However, it can be argued that cloud computing simply replaces one set of problems with another. As an example, how could a company maintain normal operations if Internet access was lost or if a service provider suffered a major breakdown? In April 2011, Amazon’s EC2 cloud computer network crashed, taking thousands of company websites offline. Some sites took two days to restore and Amazon later announced that some customer data had been permanently lost. In October 2011, Blackberry phone users in Europe, India, South America and other regions suffered disruptions to e-mail, Internet and instant messaging services for a number of days. Services were disrupted again in September 2012.
Planning for emergencies involves more than merely restoring hardware, software and data. Since the 11 September 2001 terrorist attacks in the United States and the 7 July 2005 attack in the UK, a great deal of emphasis has been placed on protecting employees from danger and making sure that competent staff are available in an emergency. This is sometimes known as ‘skills continuity’.
Recovery
Recovery
The process which is used to restore backup data.
Business continuity planning
The process of developing procedures aimed at restoring the normal operation of an information system in the event of an emergency or disaster.
Backup site
This houses a copy of the organisation’s main data processing facilities, including hardware, software and up-to-date data files. In the event of an emergency, processing can be switched to the backup site almost immediately so that the organisation’s work can continue.
RAID
This stands for ‘redundant array of inexpensive disks’. Essentially, identical copies of important data files are kept upon a number of different storage devices. If one or more of the storage devices fails, additional devices are activated automatically, allowing uninterrupted access to the data and reducing the possibility of losing transactions or updates.
M15_BOCI6455_05_SE_C15.indd 550 10/13/14 4:53 PM
551ChaPter 15 MANAGING INFORMATION SEcURITY
There are five major categories of controls that can be applied to information systems. These are:
■ physical protection; ■ biometric controls; ■ telecommunications controls; ■ failure controls; ■ auditing.
TyPES OF CONTROLS
Physical protection involves the use of physical barriers intended to protect against theft and unauthorised access. The reasoning behind such an approach is extremely simple: if access to rooms and equipment is restricted, risks of theft and vandalism are reduced. Furthermore, by preventing access to equipment, it is less likely that an unauthorised user can gain access to confidential information. Locks, barriers and security chains are examples of this form of control.
Physical protection
These controls make use of the unique characteristics of individuals in order to restrict access to sensitive information or equipment. Scanners that check fingerprints, voice prints or even retinal patterns are examples of biometric controls.
Until relatively recently, the expense associated with biometric control systems placed them out of reach of all but the largest organisations. In addition, many organisations held reservations concerning the accuracy of the recognition methods used to identify specific individuals. However, with the introduction of more sophisticated hardware and software, both of these problems have been largely resolved. As a result, laptop computers, PDAs and USB flash drives are all now available with built-in fingerprint scanners.
Many organisations have now begun to look at ways in which biometric control systems can be used to reduce instances of fraud. Within five years, for example, banks are expected to introduce automated teller machines (ATMs) that use fingerprints and retinal patterns to identify customers.
Biometric controls
Devices employing biometric security measures are now within the reach of a typical computer user. Using the Internet, magazines, product catalogues and other sources, locate at least two examples of low-cost products that employ biometrics.
Biometric securityActivity 15.1
These controls help to verify the identity of a particular user. Common types of communications controls include passwords and user validation routines.
As an example, when a new network account is created for a given user, they may be asked to supply several pieces of personal information, such as the name of their spouse or
Telecommunications controls
M15_BOCI6455_05_SE_C15.indd 551 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT552
their date of birth. When the user attempts to connect to the network system from outside of the organisation, they are asked to confirm their identity by providing some of the information given when the account was created.
Failure controls attempt to limit or avoid damage caused by the failure of an information system. Typical examples include recovery procedures and regular backups of data. Backups are explained in more detail later on.
Failure controls
Auditing involves taking stock of procedures, hardware, software and data at regular intervals.
With regard to software and data, audits can be carried out automatically with an appropriate program. Auditing software works by scanning the hard disk drives of any computers, terminals and servers attached to a network system. As each hard disk drive is scanned, the names of any programs found are added to a log. This log can then be compared to a list of the programs that are legitimately owned by the organisation. Since the log contains information concerning the whereabouts of each program found, it is relatively simple to determine the location of any unauthorised programs. In many organisations, auditing programs are also used to keep track of software licences and allow companies to ensure that they are operating within the terms of their licence agreements.
A software licence enables a company to make several copies of a program, allowing it to acquire important programs at reduced cost. Typically, a company will purchase a single copy of the program and install this on as many computers as required. Since only one copy of the program and any accompanying documentation is required, costs are reduced for both the company and the supplier. The terms of the software licence will determine how many copies of the program can be made. A ten-user licence, for example, allows a company to make up to ten copies of a program for use by its employees.
Auditing
Software licence
This sets out the terms under which a piece of software can be used. In general, licences are required for every piece of software owned and used by a company. A company using ten copies of a word processor, for instance, must own ten individual licences or a single licence giving the right to use ten copies of the program.
SOME TECHNIQUES FOR CONTROLLING INFORMATION SySTEMS
Some of the most common techniques used to control computer-based information systems are:
■ formal security policies; ■ passwords; ■ file encryption; ■ organisational procedures governing the use of computer-based information systems; ■ user validation techniques; ■ backup procedures.
The following describes each of these techniques in more detail.
Perhaps the simplest and most effective control is the formulation of a comprehensive policy on security. Amongst a wide variety of items, such a policy will outline:
Formal security policy
M15_BOCI6455_05_SE_C15.indd 552 10/13/14 4:53 PM
553ChaPter 15 MANAGING INFORMATION SEcURITY
■ what is considered to be acceptable use of the information system; ■ what is considered unacceptable use of the information system; ■ the sanctions available in the event that an employee does not comply with the security policy; ■ details of the controls in place, including their form and function and plans for
developing these further.
Once a policy has been formulated, it must be publicised in order for it to become effective. In addition, the support of management is essential in order to ensure that employees adhere to the guidelines contained within the policy.
It is worth noting that many European countries have national standards that can be used to develop and assess organisational security policies. In the UK, for example, compliance with BS 7799 demonstrates that a company has established an effective information security management infrastructure. Standards such as ISO/IEC 27001, ISO 17799 and BS 7799 are extremely useful in that they provide a framework that can be used to develop a series of policies and procedures in order to maintain the security of computer-based information systems.
In 2010, only 67 per cent of small UK organisations had a formal information management security policy in place compared to 90 per cent of large organisations.
Source: DTI, 2010
The password represents one of the most common forms of protection for computer-based information systems. In addition to providing a simple, inexpensive means of restricting access to equipment and sensitive data, passwords also provide a number of other benefits. Amongst these are the following:
■ Access to the system can be divided into levels by issuing different passwords to employees based on their positions and the work they carry out.
■ The actions of an employee can be regulated and supervised by monitoring the use of their password.
■ If a password is discovered or stolen by an external party, it should be possible to limit any damage arising as a result.
■ The use of passwords can encourage employees to take some of the responsibility for the overall security of the system.
Passwords
The InfoSecurity Europe 2007 survey found that 64 per cent of workers questioned were prepared to reveal their computer password in exchange for a small gift, such as a chocolate bar. Although this fell to 21 per cent in 2008, 60 per cent of workers were still willing to reveal personal information, such as contact details, many without needing any reward at all.
Source: PC Pro, 16 April 2008
An additional layer of protection for sensitive data can be provided by making use of encryption techniques. Modern encryption methods rely upon the use of one or more keys. Without the correct key, any encrypted data are meaningless – and therefore of no value – to a potential thief.
Encryption
M15_BOCI6455_05_SE_C15.indd 553 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT554
Using the Internet as a resource, locate information related to a well-known product called GNU Privacy Guard (GPGP, sometimes also called GnuPG). Describe how GPGP works and explain why you think the system is so popular.
Pretty Good Privacy (PGP)Activity 15.2
Under normal circumstances, a set of procedures for the use of an information system will arise from the creation of a formal security policy. Such procedures should describe in detail the correct operation of the system and the responsibilities of users. Additionally, the procedures should highlight issues related to security, should explain some of the reasoning behind them and should also describe the penalties for failing to comply with instructions.
Procedures
Of relevance to telecommunications is the use of user validation techniques. It is necessary to verify the identity of users attempting to access the system from outside of the organisation. A password is insufficient to identify the user since it might have been stolen or accidentally revealed to others. However, by asking for a date of birth, National Insurance number or other personal information, the identity of the user can be confirmed. Alternatively, if the location of the user is known, the system can attempt to call the user back at their current location. If the user is genuine, the call will be connected correctly and the user can then access the system. Although such methods do not offer total security, the risk of unauthorised access can be reduced dramatically.
User validation
User validation
checks made to ensure the user is permitted access to a system. Also known as access control systems, they often involve user names and passwords, but can also include biometric techniques.
The effects of a sudden loss of data can affect a company’s activities in a variety of ways. The disruption caused to a company’s normal activities can result in significant financial losses due to factors such as lost opportunities, additional trading expenses and customer dissatisfaction.
The cumulative effects of data loss can prove detrimental to areas as diverse as corporate image and staff morale. Perhaps the single most compelling reason for introducing effective backup procedures is simply the expense involved in reconstructing lost data. A 2008 study of UK data breaches by the Ponemon Institute in collaboration with Symantec and PGP Corporation found that the cost of a lost record ranges from £47 to £59.
One of the most common methods of protecting valuable data is to use the ‘grandfather, father, son’ technique. Here, a rotating set of backup disks or tapes are used so that three different versions of the same data are held at any one time.
To illustrate this method, imagine a single user working with a personal computer and using three flash drives to store their data on. Each day, all of the data being worked on are copied onto the flash drive containing the oldest version (‘grandfather’) of that data. This creates a continuous cycle that ensures that the oldest backup copy is never more than three days old.
Table 15.1 illustrates the operation of the ‘grandfather, father, son’ method. As can be seen, each flash drive or other storage device moves through three generations. Since three copies of the data are maintained, the risk of data loss is reduced considerably. In the event of the original data becoming corrupted or damaged in some way, only the changes made
Backup procedures
Grandfather, father, son
A common procedure used for creating backup copies of important data files.
M15_BOCI6455_05_SE_C15.indd 554 10/13/14 4:53 PM
555ChaPter 15 MANAGING INFORMATION SEcURITY
Table 15.1 The ‘grandfather, father, son’ backup method
Day 1 Day 2 Day 3
Device 1 Device 2 Device 3
Grandfather Grandfather Grandfather
Device 2 Device 3 Device 1
Father Father Father
Device 3 Device 1 Device 2
Son Son Son
since the last backup copy was made would be lost. In most cases, this would amount to new or altered data produced during the previous day. In addition, since only three sets of reusable media are required in order to make backups, the costs involved can be considered low.
It is worth noting several general points concerning backups of data:
■ The time, effort and expense involved in producing backup copies will be wasted unless they are made at regular intervals. How often backups are made depends largely upon the amount of work processed over a given period of time. In general, backups will be made more frequently as the number of transactions carried out each day increases.
■ Backup copies of data should be checked each time they are produced. Faulty storage devices and media may sometimes result in incomplete or garbled copies of data. In addition, precautions should be taken against computer viruses, in order to prevent damage to the data stored.
■ The security of backup copies should be ensured by storing them in a safe location. Typically, an organisation will produce two sets of backup copies: one to be stored at the company premises, the other to be taken off the premises and stored at a separate location. In this way, a major accident, such as a fire at the company premises, will not result in the total destruction of the organisation’s data. Many companies take additional precautions, such as storing important data online, using cloud storage as an extra safeguard.
■ Not all data need be backed up at regular intervals. Software applications, for example, can normally be restored quickly and easily from the original media. In a similar way, if a backup has already been made of a given item of data, the production of additional copies may not be necessary.
In order to reduce the time taken to create backup copies, many organisations make use of software that allows the production of incremental backups. Initially, a backup copy of all data files is made and care is taken to ensure the accuracy of the copy. This initial, complete backup is normally referred to as a full backup (sometimes also known as an ‘archival backup’). From this point on, specialised backup software is used to detect and copy only those files that have changed in some way since the last backup was made. In the event of data loss, damaged files can be replaced by restoring the full backup first, followed by the incremental backups. One of the chief advantages of creating incremental backups is that it is possible to trace the changes made to data files over time. In this way, any version of a given file can be located and restored. However, incremental backups can also have a significant disadvantage: should the full backup made initially become lost or corrupted, it may not be possible to restore any data at all. For this reason, it is essential that all backups be checked carefully as soon as they are made.
Many companies have started to adopt disk-imaging software as a way of producing backups of important programs and data. The latest and most sophisticated packages
Incremental backup
Includes only those files that have changed in some way since the last backup was made.
Full backup
A method of producing copies of important data files by including all data files considered to be important.
M15_BOCI6455_05_SE_C15.indd 555 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT556
allow users to create incremental backups of an entire hard disk drive. This helps to avoid redundancy and makes the overall process faster and easier to manage. Disk images are discussed in more detail a little later on.
MALWARE FOCUS ON…
The term ‘malware’ (malicious software) is a generic term for software intended to gather confidential information from a computer system, or cause harm to valuable data. In general, malware can be broken down into a number of categories, each of which is discussed in more detail in the following sections:
■ computer viruses; ■ Trojans and key loggers; ■ spyware.
What is malware?
The origin of the term computer virus is credited to Fred Cohen, author of the 1987 paper ‘Computer viruses – theories and experiments’. However, ‘natural’ computer viruses were reported as early as 1974 and papers describing mathematical models of the theory of epidemics were published in the early 1950s.
There are several different types of computer virus, for example parasitic viruses (sometimes known as ‘file infectors’) insert copies of themselves into legitimate programs, such as operating system files, often making little effort to disguise their presence. In this way, each time the program file is run, so too is the virus.
In recent years, a great deal of attention has been paid to the emergence of macro viruses (sometimes called ‘script viruses’). These programs are created using the high-level programming languages found in e-mail packages, web browsers and applications software, such as word processors. Technically, such viruses are extremely crude but are capable of causing a great deal of damage. Table 15.2 provides some examples of estimated losses caused by computer viruses over the years 1999–2008. As the table shows, some of the largest losses experienced were the result of relatively unsophisticated viruses distributed via e-mail.
All viruses should be considered to be harmful. Even if a virus program does nothing more than reproduce itself, it may still cause system crashes and data loss. In many cases, the damage caused by a computer virus might be accidental, arising merely as the result of poor programming.
Until quite recently, it was thought that computer viruses could not be attached to data files, such as word processing documents or e-mail messages. However, the built- in programming languages featured within many modern applications mean that data files may now be used to transmit viruses. A typical example is the Word for Windows macro viruses, which attach themselves to a document template and duplicate each time a new document is created. Using an infected document on another machine automatically infects the user’s copy of Word for Windows. However, it remains true that viruses cannot be transmitted by a conventional e-mail message. A virus can only be transmitted as an attachment to a message, or if the e-mail package being used allows active content.
The computer virus
Computer virus
This is a computer program that is capable of self-replication, allowing it to spread from one ‘infected’ machine to another.
M15_BOCI6455_05_SE_C15.indd 556 10/13/14 4:53 PM
557ChaPter 15 MANAGING INFORMATION SEcURITY
The transmission of computer viruses and malware
A number of reports suggest that consultants, maintenance engineers and employees are responsible for approximately 40 to 60 per cent of all virus infections. Often, a virus infection occurs as a result of employees’ transferring files to and from their machines at home. Other ways in which viruses and other malware may be transmitted include through the use of illegal software, software downloaded via the Internet and, occasionally, through commercial software and magazine cover-mounted discs.
It can be argued that computer users themselves are often responsible for damage arising as a result of malware, such as viruses and worms. Few users take adequate security measures, such as backing up data. It is estimated that fewer than 5 per cent of computer users are capable of carrying out backup procedures. Furthermore, inadequate training and incorrect responses to security breaches often exaggerate the problem, since anxious users may cause more damage than the malware itself.
There are few accurate estimates of the financial loss caused by computer viruses, Trojans and other forms of malware each year. This is undoubtedly due to the reluctance of major companies to disclose the fact that their systems have been compromised. Despite this, surveys have suggested that over 60 per cent of major corporates come into contact with computer viruses each year. However, the real rate of infection may be substantially higher since companies are unlikely to admit any major losses arising as a result of computer virus infections. In the UK, the Department for Trade and Industry’s Information Security Breaches Survey 2012 found that 40 per cent of large organisations had experienced virus infections, as had 43 per cent of smaller organisations. Worldwide, Fox News reported that total losses from malware infections amounted to $86 billion in 2009.
Detecting and preventing virus infection
The risk of virus infection can be reduced to a minimum by implementing a relatively simple set of security measures:
■ unauthorised access to machines and software should be restricted as far as possible; ■ machines and software should be checked regularly with a virus detection program; ■ all new disks and any software originating from an outside source should be checked
with a virus detection program before use;
Table 15.2 Examples of estimated losses due to computer viruses from 1999 to 2008
Year Virus estimated loss ($ billions)
1999 Melissa 1.10
2000 LoveLetter 8.80
2001 Code Red 2.60
2001 SirCam 1.15
2002 Klez 9.00
2003 Slammer 1.20
2004 MyDoom 4.75
2004 Sasser 3.50
2004 NetSky 2.70
2004 Bagle 1.50
2007 Conficker 9.80
2008 Storm Worm 8.50
Sources: Bocij, 2006; www.howstuffworks.com
M15_BOCI6455_05_SE_C15.indd 557 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT558
■ the use of flash drives on company systems should be monitored and controlled, especially if employees take data files to/from their homes;
■ regular backups of data and program files must be made in order to minimise the damage caused if a virus infects the system.
Virus scanners are intended to detect and then safely remove virus programs from a computer system. The most common method of detection used by these programs involves scanning for the signatures of particular viruses. It is often possible to locate a virus by simply searching every file on an infected disk for these identifying characteristics. However, since new viruses are discovered quite frequently, the list of signatures contained within a detection program quickly becomes dated. For this reason, most software developers insist that regular program updates are essential. In fact, some programs are updated every few hours, rather than once a day or less frequently.
The introduction of new kinds of viruses, such as polymorphic and stealth viruses, means that signature checking alone can no longer be regarded as a completely secure method of detection. For this reason, most virus scanners use a combination of techniques to enhance their efficiency. Amongst the methods used are checksums, virus shields, anti- viruses, heuristics and inoculation. The use of heuristics, for example, involves monitoring the computer system to detect common behaviours associated with computer viruses, such as attempts to access certain areas of the hard disk drive.
Once a virus has been detected there are three methods of removing it. The first, disinfection, attempts to restore damaged files and directory structures to their original condition. However, disinfection is not possible in all cases. The second technique involves overwriting the virus program so that it is permanently and irrevocably deleted from the disk. The third and final method of removing a virus is by restoring a backup of the infected disk to the system. The process of writing files to the disk effectively overwrites the virus and restores the system to its original state.
A distinction is made between erasing and deleting a file. Erasing a file merely removes its entry in the disk’s directory structure: the file remains intact until another file overwrites it. For this reason, virus killers delete the virus completely by overwriting it with new data.
Despite the sophistication of scanning programs, none is capable of offering complete protection against infection. Many tests have been carried out to determine the efficiency of specific virus-scanning programs. In some cases, the detection rate of some programs was found to be as low as 50 per cent.
The action that a virus carries out when activated is normally referred to as the payload. An example of a payload might be issuing the command to delete all of the files from the user’s hard disk drive when a certain condition is met, such as when a particular date or time is reached.
In recent years many companies have come to recognise that virus scanners and other software, such as firewalls, are no longer enough to provide high levels of protection in the face of sophisticated viruses and malware. For instance, computer viruses and Trojans now exist that can disable or delete security software whilst maintaining the appearance that they are working properly. Many companies have started to adopt other methods of protecting their systems, for example by investing in disk-imaging software.
Using appropriate software, it is possible to take a ‘snapshot’ of a hard disk drive at a given date and time. The entire contents of the drive can be copied into a special disk image file while the user carries on working. In the event of a disaster, the image file can be written back to the hard disk, restoring the system to the same state as when the image was created. Disk images can even be copied onto other hard disk drives, allowing users to transfer programs and data onto a new system. One of the reasons companies have started to use disk images is because the disk drive is completely erased when the image is restored. At present, no known malware can survive this process, so restoring an image to a hard disk can be taken to guarantee the destruction of a virus or Trojan. Of course,
Virus scanner
Intended to detect and safely remove virus programs from a computer system.
Signature
Unique features of a virus such as the unique series of values in its program file or message displayed on screen or hidden text.
Polymorphic virus
capable of altering its form, so that the ‘standard’ signature of the virus is not present. This means that a virus scanner may not always identify the virus correctly.
Stealth virus
Specifically designed to avoid detection. Such programs are normally written with the intention of defeating common or well-known virus- scanning programs.
Heuristics
Involves monitoring a system to detect common behaviours associated with computer viruses, such as attempts to access certain areas of the hard disk drive.
Erasing
Erasing a file removes its details from the disk’s directory structure. This leaves the file essentially intact and can allow it to be recovered.
Deleting
Deleting a file removes its details from the disk’s directory structure and overwrites it with new data. This makes it virtually impossible to recover the file.
Payload
This refers to the action that will be carried out once a computer virus becomes active. This can range from displaying a message on the screen, to deleting valuable data.
M15_BOCI6455_05_SE_C15.indd 558 10/13/14 4:53 PM
559ChaPter 15 MANAGING INFORMATION SEcURITY
this process can only be successful if no virus or other malware was present when the disk image was created.
The use of disk images has become so popular that many companies use them as the basis for their backup routines. Although disk images can be somewhat wasteful in terms of storage, they have the advantage of being very quick and easy to make. A good example of disk-imaging software is Acronis TrueImage (www.acronis.com), which can be used on individual systems or across a network. This package also allows users to restore individual files if they wish, removing the need to overwrite the entire hard disk.
Trends
There are many different estimates concerning the growth in numbers of viruses, Trojans and worms. In 1989, it was believed that there were fewer than 50 viruses in circulation. However, by the end of 2004 it was estimated that the number of viruses had grown to more than 100,000 (Bocij, 2006) and to more than one million by 2008 (Sunday Times, 10 April 2008). There has been a similar growth in the number of new viruses and similar malware that is being discovered each month. As an example, at the end of 2002, Sophos – a leading developer of anti-virus products – reported that it had detected more than 7000 new viruses, worms and Trojans during the whole of the year. By 2004, some antivirus companies were reporting the discovery of up to 1700 new viruses every month and by 2008 a leading antivirus company, Symantec, reported that it had discovered 711,000 new viruses in a single year. In 2012, McAfee reported that it was receiving 100,000 malware samples each day and attributed much of the growth to a surge in malware aimed at mobile applications and devices.
Improved access to technology, an increase in the use of networks and new communications technology have all increased the vulnerability of many users to virus infections. At most risk are universities and other large sites, such as public services.
Disk image
A perfect copy of the entire contents of a hard disk drive. Disk images are used to back up whole systems since they provide a snapshot of the system at a specific date and time.
Using the Internet as a resource, find details of at least three major virus incidents over the past three years. For each incident, describe:
1. where the virus originated and how it spread;
2. how many machines were infected around the world;
3. estimated losses resulting from the infection.
Computer virusesActivity 15.3
Two other kinds of programs are related to computer viruses: worms and Trojans. A worm is a small program that moves through a computer system randomly changing or overwriting pieces of data as it moves.
A Trojan appears as a legitimate program in order to gain access to a computer system. In the past few years, the use of Trojans to disrupt company activities or gain access to confidential information has grown sharply. Most of the Trojans en-countered by business organisations are designed to gather information and transmit regular reports back to the owner. Typically, a Trojan will incorporate a key logging facility (sometimes called a ‘keystroke recorder’) to capture all keyboard input from a given computer. Capturing keyboard data allows the owner of the Trojan to gather a great deal of information, such as passwords and the contents of all outgoing e-mail messages.
Although Trojans are often used as delivery systems for spyware and other forms of malware, some are designed to give owners control over the target computer system.
Trojans and key loggers
Worm
A small program that moves through a computer system randomly changing or overwriting pieces of data as it moves.
Trojan
A Trojan presents itself as a legitimate program in order to gain access to a computer system. Trojans are often used as delivery systems for computer viruses.
M15_BOCI6455_05_SE_C15.indd 559 10/13/14 4:53 PM
560 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
Effectively, the Trojan acts as a remote control application, allowing the owner to carry out actions on the target computer as if they were sitting in front of it. Sometimes, the owner of the Trojan will make no effort to conceal their activities: the victim sees actions being carried out but is unable to intervene, short of switching off the computer. More often, however, the Trojan operates silently and the victim is unaware that their computer is running programs, deleting files, sending e-mail, and so on. Back Orifice is an example of a Trojan that can be used in both of these ways. This program was designed to target Microsoft’s operating systems and is arguably the most famous program of its kind.
Some programs are designed to disrupt company activities by initiating denial-of- service attacks or by attacking company servers. In recent years, hackers have started to use specialised programs to create networks of zombie computers that can be used to send commercial spam or launch distributed denial-of-service attacks. Some Trojans are designed to take full or partial control of a computer when they receive instructions from the author. The Trojan remains inactive most of the time, only connecting to the Internet every now and then to check for new instructions. When activated by the author, the Trojan begins to generate e-mail or fake web traffic directed towards one or more specific targets. A computer infected by this type of Trojan is often called a bot or a zombie. Hackers use these networks – called botnets – to generate an income by renting them out to spammers, extortionists and other criminals, or by extorting money from companies themselves.
Bot
A computer that has been infected by a zombie program is sometimes referred to as a bot. See botnet and zombie.
Zombie
A type of Trojan capable of taking full or partial control of a computer when activated by the author. Zombie computers are usually organised into large networks (called botnets) so that their combined resources can be used to send spam or launch distributed denial-of- service attacks.
Botnet
A group of zombie computers capable of being directed towards various tasks, such as launching denial of service attacks. See zombie.
Spyware
Describes a category of software intended to collect and transmit confidential information without the knowledge or consent of a computer user.
Adware
Describes a type of software that contains spyware intended to monitor a user’s online activities, usually so that advertising can be targeted more accurately.
Spyware represents a new type of threat for business and home users. In general, spyware describes a category of software designed to capture and record confidential information without a user’s knowledge or consent. As an example, an earlier section described how key loggers record every key pressed by a user. Such programs are often used to collect passwords and other information – such as the contents of documents and e-mail messages – over a period of time. At regular intervals, the program will attempt to connect to the Internet and transmit a report to its owner by e-mail. Often, key loggers will attempt to avoid detection by waiting until the computer user is working on the Internet before attempting to transmit any data.
Applications for spyware range from monitoring the actions of a spouse to industrial espionage. Although early spyware programs were relatively crude, modern applications have a number of sophisticated features that make them difficult to detect and remove. As an example, some programs can be installed at a distance, without needing direct access to the target computer.
Spyware is also produced and disseminated as adware (advertising-supported software). Many companies produce useful software tools that are distributed free of charge or at low cost. In order to generate revenues, the software displays advertisements on behalf of other companies. However, some companies attempt to target their advertising more effectively by monitoring how people use their computers and the Internet. The software collects information, such as details of any web sites visited, and reports back to a central server. Although most companies claim that they do not collect any data that can identify a specific individual, many people frown upon the idea that their activities are being constantly monitored and reported on.
Spyware
Many modern virus scanners are also capable of detecting Trojans and spyware, however, it is also possible to detect this software in two other ways. First, it is possible to purchase specialised software that functions in much the same way as a virus scanner. The Cleaner,
Detecting Trojans and spyware
M15_BOCI6455_05_SE_C15.indd 560 10/13/14 4:53 PM
561ChaPter 15 MANAGING INFORMATION SEcURITY
for instance, is a specialised Trojan scanner capable of detecting thousands of common Trojans, as well as continuously monitoring a computer for behaviour indicative of a Trojan infection. Similar applications exist to deal with spyware, such as Ad-Aware, a package claimed to be capable of removing all known adware products.
Second, since many spyware programs need to communicate via the Internet, it is often possible to detect them by looking for unusual activity, such as attempts to send e-mail by unfamiliar programs or components. A firewall often provides a good defence against Trojans since it will detect and prevent any unauthorised Internet access.
Cybercrime and cyberspying are costing the US economy $100bn a year and the global economy perhaps $300bn annually, according to a first-of-its-kind report published on Tuesday.
The report, ‘Estimating the Cost of Cybercrime and Cyber Espionage’, prepared by the Washington-based Center for Strategic and International Studies (CSIS) and sponsored by McAfee, the security firm now owned by Intel, also estimates that malicious cyber activity costs as many as 508,000 jobs in the US alone.
‘It begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of continuous losses in cyberspace,’ the report said.
‘We believe the CSIS report is the first to use actual economic modelling to build out the figures for the losses attributable to malicious cyber activity,’ said Mike Fey, chief technology officer at McAfee.
‘Other estimates have been bandied about for years, but no one has put any rigour behind the effort. As policy makers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions.’
The figures confirm that malicious cyberactivites do indeed represent what some have termed ‘the greatest transfer of wealth in human history’.
‘Losses to the US [the country where data are most accessible] may reach $100bn annually,’ the report says. ‘The cost of cybercrime and cyberespionage to the global economy is some multiple of this likely measured in hundreds of billions of dollars.’
To put this in perspective, the World Bank suggests that global GDP was about $70,000bn in 2011. ‘A $300bn loss – and losses are probably in this range – would be four tenths of 1 per cent of global income.’
‘This seemingly trivial amount begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of continuous losses in cyberspace,’ the report authors say.
The report’s authors note that the cost of malicious cyberactivity involves more than the loss of financial assets or intellectual property. There are opportunity costs, damage to brand and reputation, consumer losses from fraud, the opportunity costs of service disruptions ‘cleaning up’ after cyber incidents and the cost of increased spending on cybersecurity.
To help measure the real loss from cyberattacks, CSIS enlisted economists, intellectual property experts and security researchers to develop the report. The general accepted range for cybercrime launch was between $100bn and $500bn to the global economy. Researchers used real-world analogies like figures for car crashes, piracy, pilferage and drugs to build the model.
They noted the difficulty of relying on methods such as surveys because companies that reveal their cyber losses often cannot estimate what has been taken, intellectual property losses are difficult to quantify and the self- selection process of surveys can distort the results.
‘This report is also the first to connect malicious cyberactivity with job loss,’ said James Lewis, director and senior fellow of the Technology and Public Policy Program at CSIS and a co-author of the report. ‘Using figures from the Commerce Department on the ratio of exports to US jobs, we arrived at a high-end estimate of 508,000 US jobs potentially lost from cyberespionage. As with other estimates in the report, however, the raw numbers might tell just part of the story. If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging.’
A second report from the CSIS, which is under way, will look at the ramifications of cybersecurity losses on the pace of innovation, the flow of trade and the social costs associated with crime and job loss.
Mr Lewis and co-author Stewart Baker of Steptoe & Johnson, point out that as thoroughly as they plan to develop their estimates, the dollar amount might not fully reflect all the damaging effects that cyber espionage and cybercrime have on the global economy.
Cybercrime costs US $100bn a year, report says By Paul Taylor in New york
CASE STUDy 15.2
➨
M15_BOCI6455_05_SE_C15.indd 561 10/13/14 4:53 PM
562562 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
Since 1999, a number of significant new threats to organisational information systems have emerged. Many of these threats reflect an increasing reliance on intranets and the Internet as basic tools for conducting transactions with partners, suppliers and customers. Although the following material focuses on the Internet, much of it is also relevant to company intranets.
Both activities slow the pace of innovation, distort trade and bring the spate of social costs associated with crime and job loss, according to the report.
The authors say the larger effect may be more important than any actual number, and it will be the focus of the next report.
THREATS RELATED TO INTERNET SERVICES
As companies begin to rely on network technology to reduce costs, they become more vulnerable to certain risks. For example, more harm can be caused if an individual gains access to a network server than if they merely gain access to a single PC. Similarly, companies relying on the Internet for business communications may find themselves subject to denial-of-service (DoS) attacks. Typically, these attacks involve blocking the communications channels used by a company. For example, an e-mail system might be attacked by sending millions of lengthy messages to the company. Other techniques involve altering company web pages or attacking the systems used to process online transactions. In these cases, companies are usually forced to shut down services themselves until the problem can be dealt with. Such attacks were almost unheard of before 1999 but have recently started to become more common. The DTI’s ‘Information Security Breaches Survey 2012’ found that 30 per cent of companies had experienced DoS attacks in the previous year, a figure that has grown significant from 2004 when only 5 per cent of companies reported such incidents.
The impact of a denial-of-service attack can be extremely severe, especially for organisations that rely heavily on the Internet for e-commerce. As an example, an attack on Yahoo in 2000 involved servers being flooded with 1 billion hits per minute. The attack was estimated as costing £300,000 in lost advertising revenue alone (Financial Times, 17 November 2000).
In the past few years, denial-of-service attacks have started to be used to extort money from companies that rely heavily on the Internet. Often, an initial DoS attack is accompanied by a demand for money and the threat of a more serious and prolonged attack. A well- known case took place in 2004, when Russian extortionists launched a number of DoS attacks against UK bookmakers before demanding between £10,000 and £30,000 to stop the attacks. Bookmakers who refused to pay suffered losses of approximately £40 million through lost business caused by repeated attacks. Recent studies by the FBI, Ponemon Institute and others have suggested that DoS and other attacks on a single organisation can result in losses of up to $36.5 million.
Denial of service (DoS)
Denial of service (DoS)
This is a form of attack on company information systems that involves flooding the company’s Internet servers with huge amounts of traffic. Such attacks effectively halt all of the company’s Internet activities.
Using the Internet as a resource, locate three examples of recent denial-of-service attacks. For each example, describe how the attack occurred and the losses suffered by the victim.
Denial-of-service attacksActivity 15.4
QUESTION
What are the indirect costs of cybercrime described in the report?
Source: Taylor, P. (2013) Cybercrime costs US $100bn a year, report says. Financial Times. 23 July. © The Financial Times Limited 2013. All Rights Reserved.
M15_BOCI6455_05_SE_C15.indd 562 10/13/14 4:53 PM
563ChaPter 15 MANAGING INFORMATION SEcURITY
Identity theft involves using another person’s identity to carry out acts that range from sending libellous e-mail to making fraudulent purchases. It is considered relatively easy to impersonate another person in this way, but far harder to prove that communications did not originate from the victim.
For business organisations, there is a threat that employees may be impersonated in order to place fraudulent orders. Alternatively, a company may be embarrassed if rumours or bogus press releases are transmitted via the Internet.
The term brand abuse is used to cover a wide range of activities, ranging from the sale of counterfeit goods, for example software applications, to exploiting a well-known brand name for commercial gain. As an example, the name of a well-known company might be embedded into a special web page so that the page receives a high ranking in a search engine. Users searching for the name of the company are then likely to be diverted to the special web page where they are offered a competitor’s goods instead. Some estimates suggest that the total cost of brand abuse, including counterfeiting, costs UK companies between £4 billion and £6.6 billion per year. This figure rises to between £28 and £40 billion across the EU and between $200 to $400 billion per year worldwide.
With regard to identity theft, CIFAS (www.cifas.org), a UK-based fraud prevention service, reports that there were 80,000 cases of identity theft in the UK in 2006. According to figures published on the organisation’s web site, identity fraud cost the UK economy £1.5 billion in 2005 and generates an income of £10 million per day for criminals. More recent figures suggest that identity theft costs the UK around £2.7 billion per year, affecting 1.8 million people (SkyNews, 18 October 2010).
Identity theft and brand abuse
Brand abuse
This describes a wide range of activities, ranging from the sale of counterfeit goods (e.g. software applications) to exploiting a well- known brand name for commercial gain.
Various approaches can be used to extort money from companies. Two examples include ‘cybersquatting’ and the threat of divulging customer information.
Cybersquatting involves registering an Internet domain that a company or celebrity is likely to want to own. Although merely registering a domain is not illegal in itself, some individuals attempt to extort money from companies or celebrities in various ways. Typically, the owner of the domain will ask for a large sum in order to transfer the domain to the interested party. Sometimes, however, demands for money may be accompanied by threats, such as the threat the domain will be used in a way that will harm the victim’s reputation unless payment is forthcoming. Although there is an established mechanism for dealing with disputes over domain names, many victims of cybersquatting choose not to use these procedures since they do not wish to attract negative publicity.
A more common form of extortion usually occurs after a security breach in which sensitive company information has been obtained. Often, the threat involves making the information available to competitors or the public unless payment is made. One of the best-known cases involved an incident when an online music retailer’s e-commerce systems were compromised and the details of some 300,000 credit cards were obtained. When a demand for a payment of $100,000 was not met, 25,000 credit card numbers were published on the Internet (Financial Times, 17 November 2000). A 2011 report from Detica and the Cabinet Office suggested that annual losses to UK business resulting from extortion linked to cybercrime are between £0.56 billion and £2.7 billion annually.
Extortion
Cybersquatting
The act of registering an Internet domain with the intention of selling it for profit to an interested party. As an example, the name of a celebrity might be registered and then offered for sale at an extremely high price.
Organisations have always needed to ensure that employees do not take advantage of company resources for personal reasons. Whilst certain acts, such as sending the occasional personal e-mail, are tolerated by most companies, the increased availability of Internet access
Abuse of resources
M15_BOCI6455_05_SE_C15.indd 563 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT564
and e-mail facilities increases the risk that such facilities may be abused. Two examples of the risks associated with increased access to the Internet involve libel and cyberstalking.
Cyberstalking is a relatively new form of crime that involves the harassment of individuals via e-mail and the Internet. Of interest to business organisations is the fact that many cyberstalkers make use of company facilities in order to carry out their activities. There have also been cases of ‘corporate stalking’ where an organisation has used its resources to harass individuals or business competitors. Individuals can also harass companies and government departments. Although this kind of behaviour often has a financial motive, it can also result from a desire for revenge against the organisation, or even from political beliefs. For an organisation, the consequences of cyberstalking can include a loss of reputation and the threat of criminal and civil legal action.
A number of cases where employees have abused company e-mail facilities have received a great deal of publicity. Well-known cases include an incident where Norwich Union was forced to pay £450,000 in damages after staff libelled a competitor in internal e-mails and a case where Royal & Sun Alliance dismissed ten members of staff after an internal investigation uncovered a series of lewd e-mails circulating. These cases demonstrate that allowing Internet resources to be used inappropriately can have serious repercussions for organisations. In addition to the legal and financial consequences of libel and harassment, a great deal of harm can be caused to a company’s public image and its relationships with customers and suppliers.
Cyberstalking
This refers to the use of the Internet as a means of harassing another individual. A related activity is known as corporate stalking, where an organisation uses its resources to harass individuals or business competitors.
A thorough discussion of the risks to organisations that arise from increased reliance on the Internet is beyond the scope of this chapter. However, in closing this section we provide two additional examples of emerging threats: cyberterrorism and stock fraud.
Cyberterrorism describes attacks made on information systems that are motivated by political or religious beliefs. Organisations involved in the defence industries are often the victims of such attacks. As an example, it is estimated that 20,000 UK and US web sites were attacked during the first week of the Iraq conflict in 2003. However, many other companies are also at risk from politically motivated attacks. For example, companies trading in countries that are in political turmoil or companies with business partners in these countries also face the risk of such attacks.
A number of recent cases have highlighted the danger of allowing inaccurate or misleading information to propagate across the Internet. Online stock fraud involves artificially increasing or decreasing the values of stocks by spreading carefully designed rumours across bulletin boards and chat-rooms. Whilst such activities may seem relatively harmless, companies can suffer significant losses. One of the best-known examples was reported on by the Financial Times some years ago (7 February 2001): ‘In separate incidents, Lucent Technologies, the telecoms network equipment giant, and Emulex, a computer network hardware vendor, saw $7.1bn and $2.6bn wiped off their respective stock market values within hours of bogus press releases appearing on the web.’
Incidences of online stock fraud highlight an extremely important issue: organisations are at risk from the distribution of false information across the Internet. It is important to note that the effects of online stock fraud are not limited to influencing stock prices. Imagine, for example, what might happen if bogus press releases began to appear when a company was in the process of negotiating a merger or strategic alliance. Preventing inaccurate or misleading information from appearing on the Internet is fraught with difficulty. The sheer size of the Internet means that monitoring web sites, chat-rooms and news services places an unacceptable burden on the resources of even the largest organisations. However, the use of intelligent agents, offline readers and meta-search tools, as described in Chapter 4, can go some way towards helping an organisation monitor how it is being portrayed on the Internet.
Other risks
Cyberterrorism
This describes attacks made on information systems that are motivated by political or religious beliefs.
Online stock fraud
Most online stock fraud involves posting false information to the Internet in order to increase or decrease the values of stocks.
M15_BOCI6455_05_SE_C15.indd 564 10/13/14 4:53 PM
565ChaPter 15 MANAGING INFORMATION SEcURITY
Social engineering
This involves tricking people into providing information that can be used to gain access to a computer system.
Phishing
A relatively new development, phishing involves attempting to gather confidential information through fake e-mail messages and web sites.
Although social engineering has existed for several decades, it has become of more concern in recent years because of developments such as phishing. Social engineering involves tricking people into providing confidential information that will allow access to a computer system. As an example, someone might pose as a technician during a telephone call and ask for information, such as passwords or user names.
A relatively new development related to social engineering concerns phishing which involves attempting to obtain information through bogus e-mails and web sites. As an example, computer users might receive an official-looking e-mail message from a bank asking them to confirm the details of a transaction via a web site. When users access the web site, they are asked for security information, such as an account number and password. Using this method, criminals are able to gather access to thou-sands of bank accounts and credit card accounts. As well as leading to financial losses, phishing also causes secondary damage by harming a company’s reputation and damaging public confidence in services such as online shopping and online banking.
In the United States, a Consumer Reports 2007 survey found that American consumers lost $7 billion over the last two years to viruses, spyware and phishing schemes (Information Week, 6 August 2007). Approximately 8 per cent of respondents had been taken in by phishing schemes at a median cost of $200 per incident. Similar figures have been reported for the UK and the rest of Europe, though the UK remains the most popular target for such attacks. In the UK, ZDNet (11 March 2011) found that while phishing attacks rose significantly, actual losses fell to £46.7 million in 2009–10.
In terms of companies, the DTI’s 2012 ‘Information Security Breaches Survey’ looked at how often UK companies were impersonated or subjected to phishing attacks: 36 per cent of respondents said they experienced ‘a few’ attacks over the period of a year and a further 4 per cent said they experienced hundreds of attacks a day.
Infosecurity (1 June 2011) reports:
Online fraud continues to grow. The UK Fraud Barometer, for example, suggests that the average loss from online fraud currently stands at £697/$1120 per person, against £352/$566 in March 2010. One in 10 people report that they have been victims of online fraud or theft.
In general terms, threats to information systems that originate from the Internet can be managed using the basic approaches and techniques outlined in this chapter.
Of the four basic strategies outlined earlier, an emphasis is likely to be placed on containment, obfuscation and recovery. Whilst an approach based on deterrence is likely to reduce problems associated with staff abuse of facilities, it is unlikely to discourage threats originating from outside the organisation. For example, it would be extremely difficult to take legal action against an attacker based in another country.
In terms of the specific techniques used to control access to information systems, whilst a great deal of emphasis will usually be placed on telecommunications controls, other methods are also of value. Encryption, for example, is used in a variety of circumstances to ensure that any information transmitted via the Internet is only of value to its intended recipient.
It is also important to remember that a formal security policy will play a key role in ensuring that an organisation is prepared to deal with Internet-based threats. Unfortunately, as evidenced by the DTI’s ‘Information Security Breaches Survey 2010’, around 10 per cent of large organisations have no formal security policy in place.
Managing threats to Internet services
M15_BOCI6455_05_SE_C15.indd 565 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT566
Recently, a range of specialised software applications have appeared that help individuals and companies maintain the security of their systems. Examples include:
■ Firewalls. Firewalls act as a barrier between an information system and the Inter-net. The software attempts to monitor and control all incoming and outgoing traffic in an attempt to prevent outsiders gaining access to the information system.
■ Intrusion detection software. This type of software monitors activity on a network in order to identify intruders. Typically, the software will look for characteristic patterns of behaviour that might identify the fact that someone has gained access to the network.
■ AI software. Many organisations have begun to develop applications that use artificial intelligence in order to detect intrusion attempts or unusual activity that might indicate a breach in security. As an example, Searchspace has developed a system that detects unusual activity on the London Stock Exchange in order to detect attempts at insider trading.
Firewalls
A specialised software application mounted on a server at the point the company is connected to the Internet to prevent unauthorised access into the company from outsiders.
1. Controls upon computer-based information systems are needed to ensure the accuracy of data held by an organisation and to prevent loss or damage.
2. The most common threats to computer-based information systems include accidents, natural disasters, sabotage, vandalism, theft, unauthorised use and computer viruses.
3. Accidental damage to computer-based information systems can arise from a number of sources including: inaccurate data entry, attempts to carry out tasks beyond the ability of the employee, failure to comply with procedures for the use of organisational information systems and failure to carry out backup procedures or verify data backups.
4. In some cases, a computer-based information system may be vulnerable to damage caused by natural disasters, such as flooding.
5. Computer-based information systems should be protected against deliberate or unintentional sabotage. The damage or loss caused by unintentional sabot-age is often incidental to the actions taken by an employee in pursuit of a different goal.
6. Vandalism can result in an organisation’s being deprived of critical hardware, software and data resources.
7. Theft can involve the physical theft of equipment or data theft. Whilst problems caused by physical theft can normally be overcome quickly and easily, data theft can result in significant long-term losses to an organisation.
8. The threat of unauthorised access to confidential data can arise from internal or external sources. Most security breaches involving confidential data can be attributed to the employees of the organisation.
9. There are four basic control strategies that can be applied to the security of computer-based information systems: containment, deterrence, obfuscation and recovery. Containment attempts to control access to an information system and often involves making potential targets as unattractive as possible. A strategy based upon deterrence uses the threat of punishment to discourage potential intruders. Obfuscation concerns itself with hiding or distributing assets so that any damage caused can be limited. A strategy based upon recovery recognises that, no matter how well defended, a breach in the security of an information system will eventually occur. Such a strategy is largely concerned with ensuring that the normal operation of the information system is restored as quickly as possible.
10. Types of control for computer-based information systems include: physical protection, biometric controls, telecommunications controls, failure controls and auditing. Physical protection involves the use of physical barriers intended to protect against theft and unauthorised access. Biometric controls make use of the unique characteristics of individuals, such as fingerprints, in order to restrict access to sensitive information or equipment. Telecommunications controls, such as user validation routines, help to verify the identity of a particular user. Failure controls attempt to limit
SUMMARy
M15_BOCI6455_05_SE_C15.indd 566 10/13/14 4:53 PM
567ChaPter 15 MANAGING INFORMATION SEcURITY
or avoid damage caused by the failure of an information system. Auditing involves taking stock of procedures, hardware, software and data at regular intervals.
11. Techniques used to control computer-based information systems include: formal security policies, passwords, file encryption, organisational procedures governing the use of computer- based information systems and user validation techniques.
12. A formal security policy should be supported by management and widely publicised. The policy will outline what is considered to be acceptable use of the information system and the sanctions available in the event that an employee does not comply with the policy.
13. Encryption involves encoding data so that they are meaningless to anyone except the rightful owner.
14. Backup procedures enable an organisation to protect sensitive files by making copies that can be stored at a safe location. The ‘grandfather, father, son’ technique is one of the most popular methods of making backups. An incremental backup provides a means of copying only those files that have changed in some way since the last backup was made. This provides a number of benefits, such as the ability to trace the changes that a given file has undergone over time.
15. Computer viruses, worms, Trojans and logic bombs represent a growing threat to information systems security. A computer virus is a computer program that is capable of self-replication, allowing it to spread from one ‘infected’ machine to another. All computer viruses are considered harmful and steps should be taken to protect valuable data from infection.
16. As organisations begin to rely on the Internet as a means of conducting business transactions, new threats to the security of information systems have begun to emerge. Some of these threats include denial-of-service attacks, brand abuse, identity theft, extortion and online stock fraud.
1. What are the two basic reasons for the need to control computer-based information systems?
2. List some of the advantages and disadvantages of using passwords to protect equipment and sensitive data from unauthorised users.
3. What types of controls can be used to protect a computer-based information system against vandalism, theft and unauthorised access?
4. What are the advantages and disadvantages of an approach to controlling computer-based information systems that is based on containment?
5. Describe some of the ways in which accidental damage can occur to a computer-based information system.
6. Explain why virus-scanning software and anti-virus programs are often of only limited value in detecting and removing computer viruses.
7. What is malware?
8. What is the difference between spyware and adware?
9. Why do some security specialists recommend the use of disk imaging software?
10. What is phishing?
EXERCISES
Self-assessment exercises
M15_BOCI6455_05_SE_C15.indd 567 10/13/14 4:53 PM
Discussion questions
1. What motivates an individual or organisation to create a computer virus?
2. ‘No computer-based information system can be considered completely secure – all organisations should base their control strategies on recovery.’ Make a case in favour of or against this argument.
3. ‘An increased reliance on the Internet exposes organisations to increased risk in terms of threats to information systems security.’ Make a case in favour of or against this argument.
4. How can companies reduce their vulnerability to social engineering attacks?
Essay questions
1. Conduct any research necessary and produce a formal security policy governing student access to the computer systems at the institution that you attend. In addition to providing details of any controls already in place, your work must also address the areas listed below. For each of these areas, you should also justify any decisions or choices made:
(a) what activities are considered acceptable; (b) what activities are considered unacceptable; (c) the sanctions that may be used against those failing to comply with the policy.
2. Select an organisation that you are familiar with, such as a university or bank. Conduct any research necessary to address the following tasks:
(a) Describe the potential impact of infection by computer viruses and other malware on the organisation’s computer-based information systems.
(b) Consider the effectiveness of tools, methods and procedures designed to protect computer-based information systems from computer viruses and other malware.
(c) Evaluate the level of risk posed to the organisation by computer viruses and other malware. Produce a set of recommendations that may assist the organisation in reducing this risk.
3. Outline some of the threats to information systems that arise as a result of doing business via the Internet. Illustrate your response with appropriate examples and indicate how the risks you identify can be mitigated.
Examination questions
1. Computer viruses represent a significant threat to the security of organisational computer- based information systems. Some sources have estimated that as many as 1700 new computer viruses may appear each month. You are required to:
(a) Provide a definition of the term ‘computer virus’. (b) Using relevant examples, describe the ways in which computer viruses can be
transmitted. (c) Discuss some of the ways in which organisations can protect against computer viruses.
Highlight some of the advantages and disadvantages of each method described.
2. With regard to the control of computer-based information systems, answer the following:
(a) Describe some of the common security threats facing organisational computer-based information systems.
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT568
M15_BOCI6455_05_SE_C15.indd 568 10/13/14 4:53 PM
569ChaPter 15 MANAGING INFORMATION SEcURITY
(b) Explain the four basic approaches to controlling computer-based information systems. Highlight the advantages and disadvantages of each approach.
(c) ‘More effective protection for a computer-based information system can be achieved by employing a combination of the four basic approaches to control.’ Using relevant examples, discuss this statement.
3. A formal security policy can provide an effective means of protecting an organisation’s computer-based information systems against theft, damage and other hazards.
(a) Provide an overview of the areas that will be outlined by a typical formal security policy document.
(b) Describe the ways in which a formal security policy can help to protect an organisation’s computer-based information systems.
(c) A number of factors will determine whether or not a security policy works effectively. Using relevant examples, provide a brief discussion of some of these factors.
569ChaPter 15 MANAGING INFORMATION SEcURITY
Bocij, P. (2006) The Dark Side of the Internet and How to Protect Your Family, Praeger Press, Westport, cT
Cohen, F. (1987) ‘computer viruses – theory and experiments’, Computers and Security, 6, 1, 22–35
Department of Trade and Industry (2010) ‘Information Security Breaches Survey 2010’, Department of Trade and Industry. Available online at: http://www.infosec.co.uk/files/ isbs_2010_technical_report_single_pages.pdf
References
Further reading
Andress, J. (2011) The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice, Syngress, Waltham, MA
Bocij, P. (2004) Cyberstalking: Harassment in the Internet Age and How to Protect Your Family, Praeger Press, Westport, cT.
Bocij, P. (2006) The Dark Side of the Internet, Praeger Press, Westport, cT.
Laudon, K. and Laudon, J. (2013) Management Information Systems: Managing the Digital Firm, 13th edition, Prentice-Hall, Upper Saddle River, NJ. Although some might find this book a little dense and difficult to read, it is detailed and comprehensive in its coverage. chapter 8 looks at security.
O’Brien, J. and Marakas, G. (2011) Management Information Systems, 10th edition, McGraw-Hill, Boston. chapter 13 deals with issues such as security and ethics.
http://csrc.nist.gov The NIST (National Institute of Standards and Technology) site hosts a computer Security Resource centre containing numerous articles, bulletins and other information.
http://www.sans.org/security-resources/ The SANS Institute publishes a huge number of articles dealing with computer security. This site is considered one of the most authoritative sources of information on computer security by IS professionals worldwide.
www.security-resources.com Security-resources.com offers a selection of introductory articles dealing with topics like how firewalls work.
Web links
M15_BOCI6455_05_SE_C15.indd 569 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT570
www.lockdown.co.uk LockDown is a site aimed at home computer users. It provides information on security threats rated by severity. This site gives an excellent overview of the very large and diverse range of security problems that computer users face. Note that many of the problems listed in the site’s database also apply to business computer users.
www.cert.org The computer Emergency Response Team provides up-to-date information on security issues related to the Internet. The site publishes some interesting statistics concerning the number of incidents investigated.
www.infosyssec.org Information Systems Security Alert. This is a highly respected site that contains links to literally hundreds of resources. Of particular interest is a sophisticated search facility that allows information to be located on all aspects of security.
www.boran.com/security The IT Security cookbook. A set of documents that provide detailed information on security management. There is a particularly good section on firewalls.
www.mcafee.com McAfee publishes Virus Scan, widely regarded as the best virus detection package available. The site contains a great deal of information on individual computer viruses.
www.vmyths.com This site sheds light on common myths related to viruses and computer security.
M15_BOCI6455_05_SE_C15.indd 570 10/13/14 4:53 PM
