Chapter 10: Securing Information Systems

Computer crime

the use of a computer to commit an illegal act.

Hackers

Those individuals who are knowledgeable enough to gain access to computer systems without authorization

Crackers

those who break into computer systems with the intention of doing damage or committing a crime

Hacktivists

Some computer criminals attempt to break into systems or deface websites to promote political or ideological goals (e.g., free speech, human rights, and antiwar campaigns)

Industrial espionage

describes covert activities, such as the theft of trade secrets, bribery, blackmail, and technological surveillance to gain an advantage over rivals.

Vulnerability scanners

automatically test targeted systems for weaknesses

Packet sniffers

analyze network traffic and capture unencrypted passwords

Keyloggers

capture every keystroke and thus gather data such as email addresses, passwords, and credit card numbers; or tools to break passwords using a brute-force approach

Social engineering

misrepresenting oneself to trick others into revealing information

Shoulder surfing

looking over someone’s shoulder while the person is keying in access credentials

Dumpster diving

scouring wastebaskets for potentially useful information

Unauthorized access

occurs whenever people who are not authorized to see, manipulate, or otherwise handle data search systems for interesting or useful data, peek at monitors displaying proprietary or confidential data, or intercept electronic messages on the way to their destination

Insider threats

“trusted adversaries” or “malicious insiders” who operate within an organization’s boundaries and are a significant danger to both private and public sectors.

Wikileaks

publishes information (mostly related to political relations) obtained from insiders

Backdoors

hidden access points allowing for unauthorized access. built into systems by software developers

Zero-day

an undisclosed hardware or software vulnerability that crackers can exploit to adversely affect computer programs, data, other computers, or networks

Unauthorized data modification

when someone accesses electronic data and then changes it in some way, such as when crackers hack into government websites and change content or when employees give themselves electronic raises and bonuses

Jailbreaking

modifying the operating system to remove manufacturer or carrier restrictions to run applications other than those from the official app store—can allow unsecure applications to run on devices or make it difficult to upgrade devices that have been modified.

Malware

short for “malicious software” such as viruses, worms, and Trojan horses

Virus

a destructive program that disrupts the normal functioning of information systems. can reproduce themselves.

Worm

a variation of a virus that is targeted at networks

Trojan horses

appear to be legitimate, benign programs but carry a destructive payload. do not replicate themselves but, like viruses, can do much damage, such as by giving the creator unauthorized access to a system.

Logic bombs

variations of Trojan horses. They also do not reproduce themselves and are designed to operate without disrupting normal computer function. Instead, they lie in wait for unsuspecting computer users to perform a triggering operation

Ransomware

holds a user’s computer hostage by locking or taking control of the user’s computer or encrypting files or documents. Once infected, the scammers demand a ransom to be paid by a certain deadline to unlock the computers or decrypt the files.

Denial of service attacks

occur when electronic intruders deliberately attempt to prevent legitimate users of a service (e.g., customers accessing a website) from using that service, often by using up all of a system’s resources.

Zombie computers

a virus-infected computer that can be used to launch attacks on websites.

Distributed denial of service attacks

use a large number of computers to perform the attack. difficult to counter, as it is difficult to distinguish malicious traffic from legitimate user traffic.

Spyware

any software that covertly gathers data about a user through an internet connection without the user’s knowledge.

Adware

free software paid for by advertisements appearing during the use of the software

Spam

electronic junk mail or junk newsgroup postings, usually for the purpose of advertising for some product and/or service

Spam filter

use multiple defense layers—consisting of dedicated hardware and software—to help reduce the amount of spam processed by the central email servers and delivered to users’ inboxes.

Internet hoax

a false message circulated online about new viruses, funds for alleged victims of a global catastrophe, kids in trouble, cancer causes and cures, or any other topic of public interest.

Phishing

attempts to trick financial account and credit card holders into giving away their authentication credentials, usually by sending spam messages to millions of email accounts

Spear phishing

a more sophisticated fraudulent email attack that targets a specific person or organization by personalizing the message

CAPTCHA

(Completely Automated Public Turing Test to Tell Computers and Humans Apart) typically consists of a distorted image displaying a combination of letters and/or numbers that a user has to input into a form

Brute force approach

prevent crackers from trying to break passwords where a bot submits thousands or millions of possible passwords (usually from a list of common passwords) until the correct password is found. 

Cookie

a small text file passed to a web browser on a user’s computer by a web server

Botnets

Destructive software robots working together on a collection of zombie computers via the internet

Programmer

writes a phishing attack template and makes this available for purchase.

Identity theft

the stealing of another person’s Social Security number, credit card number, and other personal data for the purpose of using the victim’s credit rating to borrow money, buy merchandise, and otherwise run up debts that are never repaid

Cyberharassment

a crime in many states and countries, broadly refers to the use of a computer to communicate obscene, vulgar, or threatening content about a person with the intent of harming or harassing that person.

Cyberstalking

Intentionally following, threatening, and/or intimidating someone using electronic means and causing that person to fear for his or her safety

Cyberbulling

to deliberately cause emotional distress in the victim, often by manipulating, discrediting, or humiliating the victim.

Online predators

target vulnerable people, usually the young or old, for sexual or financial purposes.

Software piracy

buy one copy of a software application and then make many copies to distribute to employees.

Patents

giving the creator exclusive rights to benefit from the creation for a limited period of time.

Copyright

creations of the mind such as music, literature, or software.

Warez

offering stolen proprietary software for free or for sale over the internet; illegal

Reverse engineering

built into the software by its original developer, computer criminals typically disassemble the software

Key generator

used to generate fake license keys to circumvent the protection mechanism.

Cybersquatting

the dubious practice of registering a domain name and then trying to sell the name for big bucks to the person, company, or organization most likely to want it.

Cyberwar

an organized attempt by a country’s military to disrupt or destroy the information and communication systems of another country

Web vandalism

defacing an opponent’s websites

patriot hackers

independent citizens or supporters of a country that perpetrate attacks on perceived or real enemies.

Stuxnet

A notable example of such an attack happened in June 2010 when a Belarus-based computer security company discovered a computer worm

Cyberterrorism

the use of computer and networking technologies against persons or property to intimidate or coerce governments, civilians, or any segment of society to attain political, religious, or ideological goals.

Information systems security

precautions taken to keep all aspects of information systems (e.g., all hardware, software, network equipment, and data) safe from destruction, manipulation, or unauthorized access or use while providing the intended functionality to legitimate users.

IS security consists of:

• Assessing risks

• Developing a security strategy

• Implementing controls and training

• Monitoring security

information systems risk assessment

obtain an understanding of the risks to the availability, integrity, and confidentiality of data and systems.

Threats

undesirable events that can cause harm and can arise from actions performed by agents internal or external to an organization.

Vulnerabilities

weaknesses in an organization’s systems or security policies that can be exploited to cause damage and can encompass both known vulnerabilities (such as vulnerabilities discovered during audits) and expected vulnerabilities

IS controls

help an organization to control costs, gain and protect trust, remain competitive, and comply with internal or external governance mandates

Preventative controls

to prevent any potentially negative event from occurring, such as by preventing outside intruders from accessing a facility

Defective controls

to assess whether anything went wrong, such as unauthorized access attempts, and to limit damage

Corrective controls

to mitigate the impact of any problem after it has arisen, such as restoring compromised data

acceptable use policies

computer and/or internet use policies

business continuity plan

how a business continues operating after a disaster before normal operations have been restored

disaster recovery plan

spells out detailed procedures for recovering from systems-related disasters, such as virus infections and other disasters that might cripple the IS infrastructure.

backup sites

critical for business continuity in the event a disaster strikes; in other words, backup sites can be thought of as a company’s office in a temporary location

cold backup site

nothing more than an empty warehouse with all necessary connections for power and communication but nothing else.

hott backup site

a fully equipped backup facility, having everything from office chairs to a one-to-one replication of the most current data.

recovery time objectives

specify the maximum time allowed to recover from a catastrophic event.

recovery point objectives

how current the backup data should be

Mirrored

everything is stored synchronously on two independent systems

Identification

a user’s claim or declaration of being someone

Authentication

the process of confirming the identity of a user who is attempting to access a restricted system or web site.

Authorization

provided by the system and grants access to particular resources.

Biometrics

employees may be identified and/or authenticated by fingerprints, retinal patterns in the eye, facial features, or other bodily characteristics before being granted access to use a computer or to enter a facility

Two-factor authentication

often used for banking transactions, where the user has to enter not only a password but also a one-time token provided by the bank

access-control software

can reduce such vulnerabilities by allowing computer users access only to those files related to their work.

drive-by hacking

attacker accesses the network, intercepts data from it, and even uses network services and/or sends attack instructions to it without having to enter the home, office, or organization that owns the network

wireless LAN control

methods of configuring the WLAN so that only authorized users can gain access. 

virtual private network (VPN)

network connection that is constructed dynamically within an existing network—often called a secure tunnel— to connect users or nodes

tunneling

practice of creating an encrypted “tunnel” to send secure (private) data over the (public) internet

firewall

a part of a computer system designed to detect intrusion and block unauthorized traffic from entering a private network

encryption

the process of encoding messages using an encryption key before they enter the network or airwaves, then decoding them using a matching key at the receiving end of the transmission so that the intended recipients can read or hear them

end to end encryption

making it impossible for eavesdroppers (criminals as well as governmental organizations) to gain access to the communication

symmetric encryption

Traditional encryption methods require the sending and receiving party to have the same key to encode and decode the message

public key encryption

a message can be encoded using the recipient’s public key, and the recipient can then use his or her private key to decode the message.

certificate authority

a trusted middleman between computers and verifies that a website is a trusted site

Secure sockets layer

public key encryption method used on the Internet.

virus prevention

a set of activities for detecting and preventing computer viruses, has become a full-time, important task for IS departments within organizations and for all of us with our personal computers.

collocation facilities

Organizations can rent space (usually in the form of cabinets or shares of a cabinet) for their servers in such collocation facilities, and the organizations managing collocation facilities provide the necessary infrastructure in terms of power, backups, connectivity, and security.

mobile device management

the administration of an organization’s mobile devices to enforce authorization policies, prevent the downloading or installing of nonapproved apps, or remotely lock the devices or wipe data.

IS audit

performed by external auditors, can help organizations assess the state of their IS controls to determine necessary changes and to help ensure the information systems’ availability, integrity, and confidentiality.

computer-assisted audit tools

test applications and data using test data or simulations, or tools such as vulnerability scanners or packet sniffers

control objectives for information and related technology (COBIT)

a set of best practices that helps organizations both maximize the benefits from their IS infrastructure and establish appropriate controls.

computer forensics

the use of formal investigative techniques to evaluate digital information for judicial review.

honeypot

a computer, data, or network site that is designed to be enticing to crackers to detect, deflect, or counteract illegal activity.

dark web

to web content that is used for various nefarious purposes.