Essentials of Management Information Systems - Chapter 8: Securing Information Systems

Vulnerability of Information Systems

• Security: Measures to prevent unauthorized access or damage.
• Controls: Methods to ensure asset safety and operational standards.
• Common Vulnerabilities:
  • Hardware issues: breakdowns, configuration errors.
  • Software flaws: programming and installation errors.
  • External threats: natural disasters, loss of devices.

Internet and Wireless Vulnerabilities

• Internet:
  • Open access can lead to widespread abuses.
  • Fixed IP addresses create fixed targets for hackers.
• Wireless Security:
  • Vulnerable to eavesdropping and unauthorized access through monitoring SSIDs.
  • War driving: Probing for unsecured networks.

Types of Malware

• Viruses: Software that attaches to files and replicates.
• Worms: Standalone programs that spread without human action.
• Trojan Horses: Malicious software disguised as legitimate.
• Spyware: Monitors user activity, can include keyloggers.

Cybercriminals and Attacks

• Hackers: Unauthorized system access; Crackers have criminal intent.
• Techniques include:
  • Spoofing: Impersonating legitimate sources.
  • Eavesdropping: Monitoring network data.
• Denial-of-Service (DoS): Overloading services to disrupt availability.

Insider Threats

• Security breaches can come from employees: careless handling, lack of knowledge, social engineering tactics.

Software Vulnerability

• Flaws in commercial software can lead to security risks.
• Zero-day Vulnerabilities: Unidentified holes in software.
• Patches: Updates to fix flaws, but exploits may outpace them.

Importance of Security & Control

• Computer failures can severely impact business functions.
• Security breaches can diminish market value.
• Legal regulations (e.g., HIPAA, Sarbanes-Oxley) impose requirements for data security and privacy management.

Information Systems Controls

• General controls manage software, hardware, and data security.
• Application Controls: Ensure correct processing within specific applications (e.g., payroll).

Risk Assessment

• Understanding vulnerabilities is essential for resource commitment to security.
• Assess types of threats, probabilities, and potential losses to strategize protections.

Security Policies

• Outline risks, goals, and methods for data protection.
• Identity Management: Processes for verifying user identities and access control.

Safeguarding Technologies

• Firewalls: Prevent unauthorized access to networks; include various filtering methods.
• Intrusion Detection Systems: Monitor activities for breaches.
• Encryption: Converts information into unintelligible formats for unauthorized users.
  • Key Types: Symmetric (single key) and Public (two-key) encryption.

Cloud Security Issues

• Responsibility for data security lies with data owners; verify third-party protections.
  • Audits and Service Level Agreements (SLAs) are critical for compliance.