Securing Information

Systems
Prof. Himanshu Joshi
himanshu@imi.edu

1.1 © 2010 by Prentice Hall

 Discussion Points?

• Consumer privacy concerns on the rise. How to address it?

• Why are information systems vulnerable to destruction,
error, and abuse?
• What is the business value of security and control?
• What are the components of an organizational framework
for security and control?
• What are the most important tools and technologies for
safeguarding information resources?

1.2 © 2010 by Prentice Hall

 Online Security in the News
• India witnessed more than 27,000 cyber security threat incidents in the first half of 2017

• 3.2 million debit cards compromised (Oct 2016)

• India Sees 280 Percent Increase in Bot Infections - Symantec Internet Security Threat Report
18 ( April 2013)

• Total number of phishing attacks more than doubled over the past year amounting to 3.7
million people (Kaspersky Lab)

• Banking, utilities, healthcare, communications, government services, emergency services,

transportation are under cyber-attack (Cerebral Business Research)

• Online Banking threats on the rise (Trend Micro’s Q2 2013 Security Roundup Report)

• India holds the world's top spot for junk mail.

• An increase in mobile malware development

• 99 percent of mobile threats target Android devices (Kaspersky Lab)

1.3 © 2010 by Prentice Hall

 Online Habits of Indians

2015 2014 2013 2012 2011

#1 123456 123456 123456 password password
#2 password password password 123456 123456
#3 12345678 12345 12345678 12345678 12345678
#4 qwerty 12345678 qwerty abc123 qwerty
#5 12345 qwerty abc123 qwerty abc123
#6 123456789 1234567890 123456789 monkey monkey
#7 football 1234 111111 letmein 1234567
#8 1234 baseball 1234567 dragon letmein
#9 1234567 dragon iloveyou 111111 trustno1
#10 baseball football adobe123 baseball drago
Source: http://www.cio.in/by-the-numbers/security-threats-where-do-they-really-originate
1.4 © 2010 by Prentice Hall
 Internet Users
Data breaches: 

•Zomato said in May that it was affected by a data breach which led
to details of 7.7 million users being stolen. The leaked information,
listed for sale on a Darknet market. The company was, however, able
to contact the hacker and take down the data.
•Reliance Jio was also affected by a data breach; a website
called magicapk.com went up last month, allowing anyone to search
for personal details of Jio customers. 
•Mirai botnet malware: A botnet malware named Mirai took over
the Internet targeting home router users and other IoT based
devices. 
•WannaCry: Ransomware WannaCry swept the world in May. India
was the third worst hit nation by ransomware.

1.5 © 2010 by Prentice Hall

 You’re on Facebook? Watch Out!

• Facebook – world’s largest social network (2.07 billion active users)

• Problem – Identity theft and malicious software
Examples:
 Dec 2008 Koobface worm
 2009 18-month hacker scam for passwords, resulted in Trojan
horse download that stole financial data
 May 2010 Spam campaigned aimed at stealing logins
• Illustrates: Types of security attacks facing consumers
• Demonstrates: Ubiquity of hacking, malicious software
• Why is it that in-spite of a security team this happened?

1.6 © 2010 by Prentice Hall

 Power of IS

1. Ubiquity
2. Global reach
3. Universal standards
4. Richness
5. Interactivity
6. Information density
7. Personalization/Customization
8. Social technology
1.7 © 2010 by Prentice Hall
 The IS Security Environment:
The Scope of the Problem

• Globalization, Increasing threats, Overall size

of cybercrime unclear; amount of losses
significant but stable; individuals face new
risks of fraud that may involve substantial
uninsured losses
– Symantec: Cyber crime on the rise from 2006
– Internet Crime Complaint Centre (IC3): Processed
200,000+ Internet crime complaints
– Computer Security Institute (CSI) survey: 46% detected
security breach; 91% suffered financial loss as a result
– Underground economy marketplace that offers sales of
stolen information growing

1.8 © 2010 by Prentice Hall

 The IS Security Environment

Do e-commerce merchants and consumers face similar risks like

traditional commerce?

1.9 © 2010 by Prentice Hall

 Customer and Merchant Perspectives
on the Different Dimensions of IS Security

1.10 © 2010 by Prentice Hall

 System Vulnerability and Abuse

• Why systems are vulnerable

– Accessibility of networks
– Hardware problems (breakdowns, configuration
errors, damage from improper use or crime)
– Software problems (programming errors, installation
errors, unauthorized changes)
– Disasters
– Use of networks/computers outside of firm’s control
– Loss and theft of portable devices

1.11 © 2010 by Prentice Hall

 Security Threats in the IS Environment

• Three key points of vulnerability:

– Client
– Server
– Communications channel

1.12 © 2010 by Prentice Hall

 System Vulnerability and Abuse
CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES

The architecture of a Web-based application typically includes a Web client, a server,

and corporate information systems linked to databases. Each of these components
presents security challenges and vulnerabilities. Floods, fires, power failures, and other
FIGURE 8-1
electrical problems can cause disruptions at any point in the network.

1.13 © 2010 by Prentice Hall

 A Typical E-commerce Transaction

1.14 © 2010 by Prentice Hall

 Vulnerable Points in an E-commerce
Environment

1.15 © 2010 by Prentice Hall

 Most Common Security Threats in the
IS Environment
• Malicious code (viruses, worms, Trojans and bots)
• Unwanted programs (adware, spyware, browser
parasites, key loggers)
• Phishing/Vishing/Smishing/identity theft
• Hacking and cybervandalism
• Credit card fraud/theft
• Spoofing (pharming)/spam (junk) Web sites
• DoS and DDoS attacks
• Sniffing
• Insider attacks
• Poorly designed server and client software
• Wireless security threats

1.16 © 2010 by Prentice Hall

 Malicious Code
• Viruses: Have ability to replicate and spread to other files;
most also deliver a “payload” of some sort (destructive or
benign); include macro viruses, file-infecting viruses, and
script viruses
• Worms: Designed to spread from computer to computer
• Trojan horse: Appears to be benign, but then does
something other than expected
• Bots: Can be covertly installed on computer; responds to
external commands sent by the attacker
• SQL injection attacks
• Ransomware
• Malicious code is a threat at both client and server level

1.17 © 2010 by Prentice Hall

 Unwanted Programs

• Installed without the user’s informed

consent
– Adware: Calls for unwanted pop-up ads
– Browser parasites: Can monitor and change
settings of a user’s browser
– Spyware: Can be used to obtain information, such
as a user’s keystrokes (keyloggers), e-mail, IMs,
screenshots etc.

1.18 © 2010 by Prentice Hall

 Phishing and Identity Theft

• Any deceptive, online attempt by a third

party to obtain confidential information for
financial gain
– Most popular type: e-mail scam letter
– One of fastest growing forms of e-commerce crime

1.19 © 2010 by Prentice Hall

 Hacking and Cybervandalism

• Hacker: Individual who intends to gain

unauthorized access to computer systems
• Cracker: Hacker with criminal intent (two terms
often used interchangeably)
• Cybervandalism: Intentionally disrupting,
defacing or destroying a Web site
• Types of hackers include:
– White hats
– Black hats
– Grey hats

1.20 © 2010 by Prentice Hall

 Spoofing (Pharming) and
Spam (Junk) Web Sites

• Spoofing (Pharming)
– Misrepresenting oneself by using fake e-mail
addresses or masquerading as someone else
– Redirecting use to fake website
– Threatens integrity of site; authenticity
• Spam (Junk) Web sites
– Use domain names similar to legitimate one,
redirect traffic to spammer-redirection domains

1.21 © 2010 by Prentice Hall

 DoS and DDoS Attacks

• Denial of service (DoS) attack

– Hackers flood Web site with useless traffic to inundate
and overwhelm network
• Distributed denial of service (DDoS)
attack
– Hackers use numerous computers to attack target
network from numerous launch points
• Botnets
– Networks of “zombie” PCs infiltrated by bot malware
– Deliver 90 percent of world spam, 80 percent of world malware

1.22 © 2010 by Prentice Hall

 Other Security Threats

• Sniffing: Type of eavesdropping program that monitors

information traveling over a network; enables hackers
to steal proprietary information from anywhere on a
network
• Evil Twins: Bogus Wireless networks
• Insider jobs: Single largest financial threat
– Social engineering: Tricking users into revealing their
passwords
• Poorly designed server and client software: Increase
in complexity of software programs has contributed to
increase is vulnerabilities that hackers can exploit

1.23 © 2010 by Prentice Hall

 Technology Solutions
• Protecting Internet communications
(encryption)
• Securing channels of communication
(SSL, S-HTTP, VPNs)
• Protecting networks (firewalls)
• Protecting servers and clients

1.24 © 2010 by Prentice Hall

 Tools Available to Achieve Site Security

1.25 © 2010 by Prentice Hall

 Protecting Internet Communications:
Encryption
• Encryption: Process of transforming plain
text into cipher text that cannot be read by
anyone other than the sender and receiver
• Purpose: Secure stored information and
information transmission
• Provides:
– Message integrity – message not altered
– Non-repudiation – prevents user from denial
– Authentication – verification of user identity
– Confidentiality – message not read by others

1.26 © 2010 by Prentice Hall

 Symmetric Key Encryption
• Also known as secret key encryption
• Both the sender and receiver use the same
digital key to encrypt and decrypt message
• Requires a different set of keys for each
transaction
• Advanced Encryption Standard (AES): Most
widely used symmetric key encryption
today; offers 128-, 192-, and 256-bit
encryption keys; other standards use keys
with up to 2,048 bits

1.27 © 2010 by Prentice Hall

 Public Key Encryption

• Solves symmetric key encryption problem of having to

exchange secret key
• Uses two mathematically related digital keys (one way
function) – public key (widely disseminated) and private
key (kept secret by owner)
• Both keys used to encrypt and decrypt message
• Once key used to encrypt message, same key cannot be
used to decrypt message
• For example, sender uses recipient’s public key to encrypt
message; recipient uses his/her private key to decrypt it

1.28 © 2010 by Prentice Hall

 Public Key Cryptography – A Simple Case

1.29 © 2010 by Prentice Hall

 Digital Certificates and
Public Key Infrastructure (PKI)
• Digital certificate includes:
– Name of subject/company
– Subject’s public key
– Digital certificate serial number
– Expiration date
– Issuance date
– Digital signature of certification authority (trusted third
party institution) that issues certificate
– Other identifying information
• Public Key Infrastructure (PKI): refers to the CAs and
digital certificate procedures that are accepted by all parties

1.30 © 2010 by Prentice Hall

 Digital Certificates and Certification
Authorities

1.31 © 2010 by Prentice Hall

 Firewalls

A CORPORATE FIREWALL
• The firewall is
placed between
the firm’s private
network and the
public Internet or
another
distrusted
network to
protect against
unauthorized
traffic.

FIGURE 8-5

1.32 © 2010 by Prentice Hall

 Protecting Servers and Clients

• Operating system controls:

Authentication and access control
mechanisms (Passwords, Tokens, Smart
Cards and Biometrics)
• Anti-virus software: Easiest and least
expensive way to prevent threats to
system integrity

1.33 © 2010 by Prentice Hall

 Developing an IS Security Plan

1.34 © 2010 by Prentice Hall

 Risk Assessment

• Risk assessment: Determines level of risk to firm if

specific activity or process is not properly controlled
• Types of threat
• Probability of occurrence during year
• Potential losses, value of threat
• Expected annual loss

EXPECTED
EXPOSURE PROBABILITY LOSS RANGE (AVG) ANNUAL LOSS
Power failure 30% $5K–$200K ($102,500) $30,750

Embezzlement 5% $1K–$50K ($25,500) $1,275

User error 98% $200–$40K ($20,100) $19,698

1.35 © 2010 by Prentice Hall