IS 340
Management
Information Systems
Not in text:
Ethics (Greek
“ethos”) – translates as “acceptable”; usage is “what is right”; unchanging,
right (or wrong) in all times and places and situations; you know it is right
(or wrong) because you are a thinking person and inherently know right from
wrong.
Morals (Latin
“mores”) – translates as “acceptable”; usage is “what is acceptable here and
now, in this situation”; can change with societal views over time, location,
and situation.
Legal
– deals with a set of required or proscribed behavior; consequences may exist
for specified actions (or inactions); something ethical or moral may not be
legal, something legal may not be ethical or moral.
Logical
Malleability – a computer/system only does what it is told to do; it has no
capability of doing anything of its own volition.
PAPA –
Privacy, Accuracy, Property, Accountability/Access (traditionally,
Accountability; text specifies Accessibility)
NOTE: Federal Courts have ruled that Email has “No
expectation of privacy.”
I.
Case Study – Drive-By Hacking – “WAR (Wide Area Reception) Driving” (or
Walking, Biking, etc.) – wandering around searching for open/unprotected access
points to use for your own purposes (including spam, viruses, etc.) at no cost
to you.
II. Computer Crime – disasters
can happen to stored information or entire systems. Some are accidents, some are intentional. Primary threats to information system
security:
1.
Natural Disasters – power outages, floods, hurricanes, etc.
2.
Accidents – oops!
3.
Employees and Consultants – people who have access to the system
4.
Links to Outside Business Contacts – electronic information is at risk
when it travels between or among affiliates as part of doing business
5. Outsiders – hackers & crackers
A. What is Computer Crime? – using a computer to commit an illegal act;
includes targeting a computer for damage, using a computer to commit an
offense, and using a computer to support a criminal activity.
1. Targeting a computer while committing an
offense
2. Using a computer to commit an offense
3. Using computers to support criminal activity
even though computers are not actually targeted
B. Federal and State Laws – there are two primary federal laws
against computer crime (below), but also other federal and state laws, some
charged as misdemeanors (minor penalties) and some as felonies (major
penalties). Also, enforcing laws
affecting global networks is difficult because of national boundaries and
differing laws in different countries.
1. Computer Fraud and Abuse Act of 1986 –
prohibited mostly illegal acts dealing with the federal government or financial
institutions; amended in 1996 to prohibit dissemination of viruses and other harmful
code
2. Electronic Communications Privacy Act of 1986
– prohibits breaking into any electronic communications service or intercepting
any electronic communication
***Note: It is
a federal crime to threaten the president, vice-president, the cabinet (?),
member of Congress, or federal judge (or their families) – be careful what you
say in a critical email!!!
C. Hacking and Cracking
1. Hackers – those who stretch the limits of
computer systems, and break into systems for free distribution of information
Inset: Ethical
Dilemma, p.404 – Ethical Hacking – making a for-profit business out of hacking systems to
show firms their weaknesses
2. Crackers – criminals who break into systems
for profit or destructive purposes
D.
Types of Computer Criminals and Crimes – many and varied, mostly for
profit or destruction
1. Who Commits Computer Crimes?
a. Current or former employees – for profit or
damage (disgruntled employees); 85% - 95% of business theft was internal in
2009 (5% - 15% external)
b. People with technical knowledge committing
sabotage for personal gain
c. Career criminals using computers to assist in
crimes
d. Outsiders looking for something of value
2. Unauthorized Access – a person who uses a
computer without authorized access has committed a crime and may be punished
under law; includes doing personal business (for profit or not) on company
time, stealing information (credit card numbers, social security numbers,
etc.), and changing information on someone else’s web page;
Note: only about half
of all computer crimes are reported (2005) down from about 70% in 2003
3. Information Modification – accessing, then
changing information in some way
4. Other Threats to Information Systems Security
– excellent listing of other system threats
E. Computer Viruses and Other Destructive Code –
Malware is “malicious software” such as viruses, worms, etc.; it is
estimated that there are over 1,000 new pieces of malware released each month!
1. Virus – a program that can cause harm to a
computer or its files; reproduces itself
2. Worms, Trojan Horses, and Other Sinister
Programs
a. Worm – copies itself to multiple computers,
stops computers by hogging memory
b. Trojan Horse – a program that hides until
activated, then performs its code (whatever that may be) behind the scenes
without the users being aware
c. Logic (Time) Bomb – hides until something
triggers it (a famous person’s birthday, etc.), then perform its code
3. Denial of Service – someone ties up your
system so it cannot perform its intended service
Zombies – computers infected with viruses or worms that can be used without
their owners knowledge or consent to perpetrate computer crimes
4.
Spyware, Spam, and Cookies
a. Spyware – programs downloaded to your
computer without your knowledge that
collects information about you and delivers it to some unknown third party;
typically used for advertising purposes, but may be used for illegal
activities.
b. Spam – unsolicited (unwanted) email promoting
products/services; some ISPs say that well over 50% of all the email going
through their email server is Spam; CAN-SPAM law, 2003 – almost completely
ineffective (we told them that before it was enacted);
Phishing (Spoofing) – attempts to trick account (and credit card) holders into
giving up their authorization information through phony email messages
c. Cookies – 64-KB file left on your hard drive
after visiting a website that tracks your actions on that website and tells the
site about you the next time you visit
5. The Rise of Botnets and the Cyberattack
Supply Chain – destructive software robots (“bots”) working together on a
collection of zombies are today’s standard method of operation for computer
criminals
6. Identity theft – stealing another person’s
identity (usually for profit); one of the fastest growing and most lucrative
(expensive!!!) crimes today.
F. Internet Hoaxes – a false message circulated
online, e.g., a new virus, a new tax, any topic of public interest; there are a
number of sites (e.g., www.snopes.com) that
provide information about hoaxes
G. Cybersquatting – registering a web domain
name and selling it for profit to some firm that wants that web domain name;
now illegal in the U.S (1999).
Inset: Net Stats p.
413 – Top Cyberthreats – good listing of threats
H. Cyber Harassment, Stalking, and Bullying
1. Cyber Harassment – broadly refers to the use
of a computer to communicate obscene, vulgar, or threatening content that
causes distress to a reasonable person.
2. Cyber Stalking – repeated (and unwanted)
contacts with a victim
3. Cyber Bullying – to deliberately cause
emotional distress in the victim
4. Online Predators – targets vulnerable people
usually the young or old, for sexual or financial purposes
I. Software Piracy – making illegal copies of
software; Warez – stolen software offered for free over the Internet;
Software is Intellectual Property that was written and is owned by someone
(just as is a song, a poem, a story, or a work of art)
1. Software Piracy is a Global Business – making
and selling illegal copies of software is a major international business issue
because illegal software constitutes over $30Billion annually in lost sales;
some countries are known to be hotbeds of software piracy but their governments
refuse to do anything about it
***Note: it is
legal for you to make ONE (1) copy of any software you purchase for a
backup copy; BUT it is not illegal for the producer to make it very difficult
for you to make that copy
III. Cyberwar and
Cyberterrorism – terrorists do Not have to attack just physical objects and
people
A. Cyberwar – an organized attempt by a
country’s military to disrupt/destroy the information and communication systems
of another country
1. Cyberwar Vulnerabilities – the goal of
Cyberwar is to turn the balance of information and knowledge to your own
favor, and diminish an opponent’s capabilities; this utilizes a wide range of
hardware, software, and network technologies; controlling content and
distribution of propaganda and information to an opponent’s civilians, troops,
and government is part of Cyberwar strategy
2. The New Cold War – countries developing ways
to use the Internet as a weapon to target financial markets, government
computer systems, and key infrastructure
B. Cyberterrorism – similar to Cyberwar, but
performed by individuals and organized groups, not by governments; used to
intimidate or coerce governments, civilians, or some segment of society for
political, religious, or ideological goals; it may be launched from anywhere
and may affect basic human services (power, water, health services) because
these are all controlled by information systems
1. What Kinds of Attacks Are Considered
Cyberterrorism? anything that could
affect economic stability or infrastructure, resulting in breakdown of human
services; the goal of Cyberterrorism is to cause fear, panic, and
destruction.
2. How the Internet Is Changing the Business
Processes of Terrorists – the Internet is a powerful tool for streamlining
business processes and globalization for terrorists (see table 10.5), just as
it has globalized the business world
3. Assessing the Cyberterrorism Threat – the
Internet would appear to be a juicy target for terrorists, but because of its
complexity it is not a vulnerable as it might seem; also, attacks on the
Internet do not cause physical harm to persons and do not result in the fear
that terrorists would like;
4. The Globalization of Terrorism – with
continued increase of proliferation and dependence on technology, the threat of
Cyberterrorism will continue to increase; terrorism has become a global
business; governments and industry partners must be ready to respond to various
attack scenarios; international laws and treaties must evolve to reflect the
realities of these threats.
Inset: Brief Case p. 420 – Hacking an Airplane – would
you fly in an airplane that could be hacked?
IV.
Information
Systems Security – precautions taken to keep all aspects of information systems
(h/w, s/w, networks, data, etc.) safe from unauthorized use or access.
A.
Safeguarding Information Systems Resources
1. Risk Analysis – assess value of assets and
costs of protecting them
2. Risk Reduction – actively protecting your
system (firewalls, etc.)
3. Risk Acceptance – not implementing protection
and accepting any damages
4. Risk Transference – letting someone else take
the risks – insurance, outsourcing
Inset: Coming
Attractions p. 421 – What Were You Thinking? – brain-sensor applications (marketing tools) that
help understand people’s reactions to commercials, etc.
B. Technological Safeguards – 5 basic safeguards
1. Physical Access Restrictions – Lock the
Door!!!!!! (brute force); 3 basic methods:
1. Something you Have,
2. Something you Know, 3.
Something you Are
Authentication
– are you REALLY who you say you are?
a. Biometrics – very sophisticated;
fingerprints, retinal scans, voice prints
b. Access-Control Software – restrict user by
time or location
c. Wireless LAN Control – is your WLAN open or
secure? WAR-Driving
d. Virtual Private Networks (VPN) or ‘Tunneling”
– creating a private network within another network
2. Firewalls – software or hardware, prevents
unauthorized intrusion
3. Encryption – encoding and decoding messages
4. Virus Monitoring Protection – if you will be
on the net or if anyone places an outside disk/drive on your computer, you need
anti-virus protection!
5. Audit-Control Software – tracks computer
activity for suspicious activity
6. Secure Data Centers – create a reliable and
secure information systems infrastructure; protect important equipment from
outside intruders and elements such as fire and water (floods, earthquakes,
tornados and hurricanes, and criminal activities)
a. Ensuring Availability – some disasters cannot
be avoided, so you must prepare and protect for worst case scenarios; UPS
(Uninterruptible Power Supply) and Collocation Facilities
b. Securing the Facilities Infrastructure –
physical safeguards: LOCK THE
DOORS! Lock File Cabinets and
Desks/Drawers
1. Backups – Important!!!!!
2. Backup Sites
a. Hot backup site
b. Cold backup site
c. Data Mirrors
3. Redundant Data Centers – backup all your data
in several locations
4. Closed-Circuit Television (CCTV) – one way to
spot intruders
5. Uninterruptible Power Supply (UPS) – prevents
power failures
C. Human Safeguards – TEACH your employees what
is acceptable (and unacceptable) computer behavior; TELL them the
punishment/sanctions for misuse
***Not in text: make
employees sign a document that they have read, been presented with, and
understand the rules and sanctions for violations of those rules – you may need
these in court!
D. Computer Forensics – the use of formal
investigative techniques to evaluate digital information for judicial review
V.
Managing
Information Systems Security – you need a published Acceptable Use
Policy; also hire trustworthy employees and treat them fairly
***Not in text: make
employees sign a document that they have read, been presented with, and
understand the Use Policy and sanctions for violations of that policy – you may
need these in court!
A. Developing an Information Systems Security
Plan – you need a plan for security, not just haphazard, random thoughts
on the issue
Risk
Analysis – determine the value of your data, assess threats and vulnerability,
assess current security, and recommend improvements
Policies
and Procedures – policies (business rules) and procedures (required steps)
should be written down and posted where they can be found when needed
Implementation
– put policies into effect
Training
– staff must be trained to use new policies
Auditing
– test your employees to see if they are following policy, test system to see
if policies work correctly
1. Disaster Planning – prepare ahead of time, be
proactive – what COULD happen?
a. Business Continuity Plan – describes how to
resume operation after a disaster
b. Disaster Recovery Plan – detailed procedures
for how to recover from a systems-related disaster
2. Designing the Recovery Plan- - two
objectives:
a. Recovery Time Objective – the maximum time
allowed to recover from a catastrophic event, without disrupting the primary
business processes
b. Recovery Point Objective – how current should
the backup data be? How often do you
backup? If the worst occurs, how much
data will you lose between the time of failure and the time the system is
restored to working order?
3. Responding to a Security Breach – response to
a threat should be rapid, contact law enforcement as necessary and proper.
NOTE – according to local police, most (but not all) police
forces today have an Information Officer who can help with system security
breaches. Contact your local officer Immediately
and report all security breaches.
Insurance may not cover unreported losses, or losses reported beyond a
specified time period.
B. The State of Systems Security Management
1. Financial fraud attacks result in the
greatest financial losses
2. Very few organizations report computer
intrusions to law enforcement agencies because of the possible negative
publicity that might hurt stock values or loss of competitive advantage to
competitors
3. Most organizations do not outsource security
4. Nearly all organization’s conduct routine and
ongoing security audits
5. While most organizations believe security
training of employees is important, most employees believe the organization
does not spend enough time/money/resources on that training
Inset: When Things Go Wrong p. 435 – Backhoe
Cyberthreat – call before you dig!
VI. Information
Systems Controls, Auditing, and the Sarbanes-Oxley Act – Information Systems
Controls must be put into place to ensure security, control costs, gain and
protect trust, remain competitive, and/or comply with internal or external
governance
Preventative
Controls – prevent a potentially negative event from occurring
Detective
Controls – assess whether anything went wrong, such as unauthorized access
attempts
Corrective
Controls – mitigate the impact/effects of any problem after it has arisen
A. Information Systems Auditing – assessing the
state of information systems controls, often performed by external auditors
B. Sarbanes-Oxley Act, 2002 – federal
rules that firms must demonstrate there are controls in place to prevent
misuse/fraud, detect potential problems, and measures to correct problems; IS
Architecture plays a key role in S-OX compliance. Also, requires preservation of evidence to
document compliance for potential lawsuits.
COBIT
(Control Objectives for Information and Related Technologies) – a set of best
practices that help an organization maximize benefits from their IS
Infrastructure and establish appropriate controls
Inset: Industry Analysis p. 439 – Cybercops Track
Cybercriminals – criminals have learned to use the Internet as a resource for
crimes and cops (and courts and legislatures!!!) are always playing catch-up to
the latest use of technology by criminals