Chapter 5 Protecting Information Resources Learning Objectives Describe information technologies that could be used in computer crimes. Describe basic safeguards in computer and network security. Explain the major security threats. Describe security and enforcement measures. Summarize the guidelines for a comprehensive security system, including business continuity planning. Detailed Chapter Outline I. Risks Associated with Information Technologies Information technologies can be misused to invade users’ privacy and commit computer crimes. However, one can minimize or prevent many of these risks by installing operating system updates regularly, using antivirus and antispyware software, and using e-mail security features A. The Costs of Cyber Crime to the U.S. Economy Hackers, computer criminals, and cyber criminals, both domestic and international, could cost the U.S. economy over $100 billion and 500,000 jobs per year. The costs will include stolen identities, intellectual property, and trade secrets as well as the damage done to companies’ and individuals’ reputations. Job losses would include manufacturing jobs as well as jobs where stolen trade secrets and other intellectual properties resulted in jobs being moved overseas. B. Spyware and Adware Spyware is software that secretly gathers information about users while they browse the Web. This information could be used for malicious purposes. Spyware can also interfere with users’ control of their computers. To protect against spyware, one should install antivirus software that also checks for spyware or one should install antispyware software, such as Spy Sweeper, CounterSpy, STOPzilla, and Spyware Doctor. Adware is a form of spyware that collects information about the user (without the user’s consent) to determine which advertisements to display in the users Web browser. In addition to antivirus software, an ad-blocking feature should be installed in the Web browser to protect against adware. C. Phishing and Pharming Phishing is sending fraudulent e-mails that seem to come from legitimate sources, such as a bank or university. Pharming is similar to phishing in that Internet users are directed to fraudulent Web sites with the intention of stealing their personal information, such as Social Security numbers, passwords bank account numbers, and credit card numbers. The difference is that pharmers usually hijack an official Web site address by hacking a Domain Name System server, then alter the legitimate Web site IP address so that users who enter the correct Web address are directed to the pharmer’s fraudulent Web site. D. Keystroke Loggers Keystroke loggers monitor and record keystrokes and can be software or hardware devices. Sometimes, companies use these devices to track employees’ use of e-mail and the Internet, and this use is legal. Keystroke loggers can be used for malicious purposes, too, such as collecting the credit card numbers that users enter while shopping online. E. Sniffing and Snooping Sniffing is capturing and recording network traffic. Although it can be done for legitimate reasons, such as monitoring network performance, hackers often use it to intercept information. Spoofing is an attempt to gain access to a network by posing as an authorized user in order to find sensitive information, such as passwords and credit card information. F. Computer Crime and Fraud Computer fraud is the unauthorized use of computer data for personal gain, such as transferring money from another’s account or charging purchases to someone else’s account. In addition to phishing, pharming, and spoofing, computer crimes include the following: Denial-of-service attacks Identity theft Software piracy and other infringements of intellectual property Distributing child pornography E-mail spamming Writing or spreading viruses, worms, Trojan programs, and other malicious code Stealing files for industrial espionage Changing computer records illegally Virus hoaxes Another computer crime is sabotage, which involves destroying or disrupting computer services. Computer criminals change, delete, hide, or use computer files for personal gain. Usually called hackers, many of them break into computer systems for personal satisfaction, but others seek financial gain. In some cases computer criminals and hackers get hold of a company’s critical data and then ask for ransom. In recent years, ransomware has been created, which is a type of malware designed to block access to a computer system until a sum of money is paid. II. Computer and Network Security: Basic Safeguards Computer and network security has become critical for most organizations, especially in recent years, with hackers becoming more numerous and more adept at stealing and altering private information. A comprehensive security system protects an organization’s resources, including information, computer, and network equipment. The information an organization needs to protect can take many forms: e-mails, invoices transferred via electronic data interchange (EDI), new product designs, marketing campaigns, and financial statements. There are three important aspects of computer and network security: Confidentiality means that a system must not allow the disclosing of information by anyone who is not authorized to access it. Integrity refers to the accuracy of information resources within an organization. Availability means that computers and networks are operating and authorized users can access the information they need. These three aspects are collectively referred to as the CIA triangle. The Committee on National Security Systems (CNSS) has proposed another model, called the McCumber Cube. John McCumber created this framework for evaluating information security. Represented as a three-dimensional cube, it defines nine characteristics of information security. This model includes the different states in which information can exist in a system: transaction, storage, and processing. In addition, a comprehensive security system must provide three levels of security: Level 1—front-end servers, those available to both internal and external users, must be protected against unauthorized access. Level 2—back-end systems (such as users’ workstations and internal database servers) must be protected to ensure confidentiality, accuracy, and integrity of data. Level 3—the corporate network must be protected against intrusion, denial-of-service attacks, and unauthorized access. When planning a comprehensive security system, the first step is designing fault-tolerant systems, which use a combination of hardware and software for improving reliability—a way of ensuring availability in case of a system failure. Commonly used methods include the following: Uninterrupted power supply (UPS)—this backup power unit continues to provide electrical power in the event of blackouts and other power interruptions and is most often used to protect servers. Redundant array of independent disks (RAID)—this is a collection of disk drives used to store data in multiple places. Mirror disks—this method uses two disks containing the same data; if one fails, the other is available, allowing operations to continue. III. Security Threats: An Overview Computer and network security are important to prevent loss of, or unauthorized access to, important information resources. Some threats can be controlled completely or partially, but some cannot be controlled. Threats can also be categorized by whether they are unintentional (such as natural disasters, a user’s accidental deletion of data, and structural failures) or intentional. A. Intentional Threats Intentional computer and network threats include viruses, worms Trojan programs, logic bombs, backdoors, blended threats (e.g., a worm launched by Trojan), rootkits, denial-of-service attacks, and social engineering. Viruses Viruses are the most well-known computer and network threats. They are a type of malware (short for malicious software), which is any program or file that is harmful to computers or networks. A virus consists of self-propagating program code that is triggered by a specified time or event. The seriousness of viruses varies, ranging from an image on the user’s screen, to destroying programs and data. Viruses can be transmitted through a network or through e-mail attachments. There are times that virus hoaxes are spread as well. In some ways, virus hoaxes can cause as much damage as real viruses. Installing and updating an antivirus program is the best measure against viruses. Widely used antivirus programs include McAfee Virus Scan, Norton Antivirus, and Trend Micro. Worms A worm travels from computer to computer in a network, but it does not usually erase data. It might corrupt data, but it usually replicates itself into a full-blown version that eats up computing resources, eventually bringing a computer or network to a halt. Trojan Programs A Trojan program contains code intended to disrupt a computer, network, or Web site, and it is usually hidden inside a popular program. These programs can erase data and wreak havoc on computers and networks, but they do not replicate themselves, as viruses and worms do. Logic Bombs A logic bomb is a type of Trojan program used to release a virus, worm, or other destructive code. They are triggered at a certain time or by specific event, such as a user pressing the Enter key or running a certain program. Backdoors A backdoor (also called a trapdoor) is a programming routine built into a system by its designer or programmer. This routine enables the designer or programmer to bypass system security and sneak back into the system later to access programs or files. Blended Threats A blended threat is a security threat that combines the characteristics of computer viruses, worms, and other malicious codes with vulnerabilities found on public and private networks. They may launch a worm through a Trojan horse or launch a denial-of-service (DoS) attack at a targeted IP address. Their goal is not just to start and transmit an attack but to spread it. Denial-of-Service Attacks A denial-of-service (DoS) attack floods a network or server with services requests to prevent legitimate user’s access to the system. Typically, DoS attackers target Internet servers (usually Web, FTP, or mail servers), although any system connected to the Internet running TCP services is subject to attack. Recently, emergency-service providers and many other organizations have been targeted by a new type of DOS attack, called a TDoS (telephony denial of service) attack. These attacks use high volumes of automated calls to tie up a target phone system, halting incoming and outgoing calls. Social Engineering In the context of security, social engineering means using “people skills”—such as being a good listener and assuming a friendly, unthreatening air—to trick others into revealing private information. Social engineers use a variety of tools and techniques to gather private information, including publicly available sources of information—Google Maps, company Web sites, newsgroups, and blogs, for example. In addition, two commonly used social engineering techniques are called dumpster diving and shoulder surfing. Social engineers often search through dumpsters or trash cans looking for discarded material (such as phone lists and bank statements) that they can use to help break into a network. Shoulder surfing—that is, looking over someone’s shoulder is the easiest form of collecting information. Social engineers use this technique to observe an employee entering a password or a person entering a PIN at an ATM, for example. IV. Security Measures and Enforcement: An Overview A comprehensive security system should include biometric security measures, nonbiometric security measures, physical security measures, access controls, virtual private networks, data encryption, e-commerce transaction security measures, and Computer Emergency Response Team. A. Biometric Security Measures Biometric security measures use a physiological element that is unique to a person and cannot be stolen lost, copied, or passed on to others. The following list describes some biometric devices: Facial recognition Fingerprints Hand geometry Iris analysis Palm prints Retinal scanning Signature analysis Vein analysis Voice recognition Some drawbacks of biometrics are high cost, users’ reluctance, and complex installation. However, with improvements being made to address these drawbacks, biometrics can be a viable alternative to traditional security measures. B. Nonbiometric Security Measures The three main biometric measures are called back modems, firewalls, and intrusion detection systems. Callback Modems A callback modem verifies whether a user’s access is valid by logging the user off (after he or she attempts to connect to the network) and then calling the user back at a predetermined number. Firewalls A firewall is a combination of hardware and software that acts as a filter or barrier between a private network and external computers or networks, including the Internet. An effective firewall should protect data going from the network as well as data coming into the network. Information being transmitted is stored in what’s called a packet, and after examining a packet, a firewall can take one of the following actions: Reject the incoming packet Send a warning to the network administrator Send a message to the packet’s sender that the attempt failed Allow the packet to enter (or leave) the private network The main types of firewalls are packet-filtering firewalls, application-filtering firewalls, and proxy servers. Packet-filtering firewalls control data traffic by configuring a router to examine packets passing into and out of the network. These firewalls record all incoming connections, and packets that are rejected might be a warning sign of an unauthorized attempt. Packet-filtering firewalls are somewhat inefficient, however, because they have to examine packets one by one, and they might be difficult to install. Application-filtering firewalls are generally more secure and flexible than packet-filtering firewalls, but they are also more expensive. Typically, they are software that is installed on a host computer (a dedicated workstation or server) to control use of network applications, such as e-mail, Telnet, and FTP. Application-filtering firewalls also filter viruses and log actions more effectively than packet-filtering firewalls, which helps network administrators spot potential security breaches. A proxy server is software that acts as an intermediary between two systems—between network users and the Internet, for example. It is often used to help protect the network against unauthorized access from outside the network by hiding the network addresses of internal systems. Although firewalls can do a lot to protect networks and computers, they do not offer complete security. To provide comprehensive security for data resources, firewalls should be used along with other security measures. Other guidelines for improving a firewall’s capabilities include the following: Identify what data must be secured, and conduct a risk analysis to assess the costs and benefits of a firewall Compare a firewall’s features with the organization’s security needs Compare features of packet-filtering firewalls, application-filtering firewalls, and proxy servers to determine which of these types addresses a user’s network’s security needs the best Examine the costs of firewalls Compare the firewall’s security with its ease of use Check the vendor’s reputation, technical support, and update policies before making a final decision Another alternative is to build a firewall instead purchasing one. This option might be more expensive. Intrusion Detection System An intrusion detection system (IDS) can protect a network against both external and internal access. It is usually placed in front of a firewall and can identify attack signatures, trace patterns, generate alarms for the network administrator, and cause routers to terminate connections with suspicious sources. An IDS monitors network traffic and uses the “prevent, detect, and react” approach to security. Although it improves security, it requires a great deal of processing power and can affect network performance. C. Physical Security Measures Physical security measures primarily control access to computers and networks, and they include devices for securing computers and peripherals from theft. Common physical security measures can include the following: Cable shielding Corner bolts Electronic trackers Identification (ID) badges Proximity-release door openers Room shielding Steel encasements D. Access Control Access controls are designed to protect systems from unauthorized access in order to preserve data integrity. Terminal Resource Security Terminal resource security is a software feature that erases the screen and signs the user off automatically after a specified length of inactivity. Some programs also allow users to access data only during certain times, which reduces break-in attempts during off hours. Passwords A password is a combination of numbers, characters, and symbols that is entered to allow access to a system. A password’s length and complexity determines its vulnerability to discovery by unauthorized users. Because of the obvious limitations and shortcomings of passwords, researchers are hard at work to replace passwords with other authentication methods that are less vulnerable. E. Virtual Private Networks A virtual private network (VPN) provides a secure “tunnel” through the Internet for transmitting messages and data via a private network. Data is encrypted before it is sent through the tunnel with a protocol, such as Layer Two tunneling Protocol (L2TP) or Internet Protocol Security (IPSec). VPNs are an alternative to private leased lines or dedicated Integrated Services Digital Network (ISDN) lines and Tl lines. F. Data Encryption Data encryption transforms data, called plaintext or cleartext, into a scrambled form called ciphertext that cannot be read by others. The rules for encryption, known as the encryption algorithm, determine how simple or complex the transformation process should be. The receiver then unscrambles the data by using a decryption key. A commonly used encryption protocol is Secure Sockets Layer (SSL), which manages transmission security on the Internet. A more recent cryptographic protocol is Transport Layer Security (TLS), which ensures data security and integrity over public networks, such as the Internet. There are two main types of encryption: Asymmetric (also called public key encryption) Symmetric A PKI (public key infrastructure) enables users of a public network such as the Internet to securely and privately exchange data through the use of a pair of keys—a public one and a private one—that is obtained from a trusted authority and shared through that authority. Asymmetric encryption uses two keys: a public key known to everyone and a private or secret key known only to the recipient. A message encrypted with a public key can be decrypted only with the same algorithm used by the public key and requires the recipient’s private key, too. The main drawback of asymmetric encryption is that it is slower and requires a large amount of processing power. In symmetric encryption (also called secret key encryption), the same key is used to encrypt and decrypt the message. The sender and receiver must agree on the key and keep it secret. The problem with symmetric encryption is that sharing the key over the Internet is difficult. Encryption can also be used to create digital signatures that authenticate senders’ identities and verify that the message or data has not been altered. One encrypts a message with one’s private key and uses an algorithm that hashes the message and creates a message digest. The message digest cannot be converted back to the original message, so anyone intercepting the message cannot read it. Then one can use the private key to encrypt the message digest, and this encrypted piece is called the digital signature. The user then sends the encrypted message and digital signature. The recipient uses the public key to decrypt the message, and then uses the same algorithm that was used to hash the message and create another version of the message digest. Next, the recipient uses the public key to decrypt the digital signature and gets the message digest that was sent. The recipient then compares the two message digests. If they match, the message was not tampered with and is the same as the one that was sent. G. E-Commerce Transaction Security Measures In e-commerce transactions, three factors are critical for security: authentication, confirmation, and nonrepudiation. Authentication is important because the person using a credit card number in an online transaction is not necessarily the card’s legitimate owner. Two factors are important: what the receiver knows to be accurate and what the sender is providing. Confirmation must also be incorporated into e-commerce transactions—to verify orders and receipt of shipments. Nonrepudiation is needed in case a dispute over a transaction is raised. Digital signatures are used for this and serve to bind partners in a transaction. E-commerce transaction security is considered with the following issues: Confidentiality Authentication Integrity Nonrepudiation of origin Nonrepudiation of receipt H. Computer Emergency Response Team The Computer Emergency Response Team (CERT) was developed by the Defense Advanced Research Projects Agency (part of the Department of Defense) in response to the 1988 Morris worm attack, which disabled 10 percent of the computers connected to the Internet. Currently, CERT focuses on security breaches and DOS attacks and offers guidelines on handling and preventing these incidents. In addition, the Office of Cyber Security at the Department of Energy offers a security service, Cyber Incident Response Capability (CIRC). CIRC’s main function is to provide information on security incidents, including information systems’ vulnerabilities, viruses, and malicious programs. V. Guidelines for a Comprehensive Security System An organization’s employees are an essential part of the success of any security system, so training employees about security awareness and security measures is important. In addition, making sure management supports security training is important to help promote security awareness throughout the organization. Organizations should understand the principles of the Sarbanes-Oxley Act of 2002 and conduct a basic risk analysis before establishing a security program. This analysis often makes use of financial and budgeting techniques, such as return on investment (ROI), to determine which resources are most important and should have the strongest protection. This information can also help organizations weigh the cost of a security system. A. Business Continuity Planning To lessen the effects of a natural disaster or a network attack or intrusion, planning the recovery is important. This should include business continuity planning, which outlines procedures for keeping an organization operational. A disaster recovery plan lists the tasks that must be performed to restore damaged data and equipment as well as steps to prepare for disaster. If disaster strikes, organizations should follow these steps to resume normal operations as soon as possible: Put together a management crisis team to oversee the recovery plan. Contact the insurance company. Restore phone lines and other communication systems. Notify all affected people, including customers, suppliers, and employees. Set up a help desk to assist affected people. Notify the affected people that recovery is underway. Document all actions taken to regain normality so you know what worked and what did not work; revise the disaster recovery plan, if needed. Key Terms Spyware is software that secretly gathers information about users while they browse the Web. (P.90) Adware is a form of spyware that collects information about the user (without the user’s consent) to determine which advertisements to display in the user’s Web browser. (P.90). Phishing is sending fraudulent e-mails that seem to come from legitimate sources, such as a bank or university. (P.90) Pharming is directing Internet users to fraudulent Web sites with the intention of stealing their personal information, such as Social Security numbers, passwords, bank account numbers, and credit card numbers. The difference is that pharmers usually hijack an official Web site address, then alter its IP address so that users who enter the correct Web address are directed to the pharmers’s fraudulent Web site. (P.90). Keystroke loggers monitor and record keystrokes and can be software or hardware devices. (P.90) Sniffing is capturing and recording network traffic. (P.90) Spoofing is an attempt to gain access to a network by posing as an authorized user in order to find sensitive information, such as passwords and credit card information. (P.90). Computer fraud is the unauthorized use of computer data for personal gain. (P.90). Confidentiality means that a system must prevent disclosing information to anyone who is not authorized to access it. (P.93) Integrity refers to the accuracy of information resources within an organization. (P.93) Availability means that computers and networks are operating, and authorized users can access the information they need. It also means a quick recovery in the event of a system failure or disaster. (P.93) Fault-tolerant systems ensure availability in the event of a system failure by using a combination of hardware and software. (P.93) A virus consists of self-propagating program code that is triggered by a specified time or event. When the program or operating system containing the virus is used, the virus attaches itself to other files, and the cycle continues. (P.94) A worm travels from computer to computer in a network, but it does not usually erase data. Unlike viruses, worms are independent programs that can spread themselves without having to be attached to a host program. (P.95) A Trojan program contains code intended to disrupt a computer, network, or Web site, and it is usually hidden inside a popular program. Users run the popular program, unaware that the malicious program is also running in the background. (P.95) A logic bomb is a type of Trojan program used to release a virus, worm, or other destructive code. Logic bombs are triggered at a certain time (sometimes the birthday of a famous person) or by a specific event, such as a user pressing the Enter key or running a certain program. (P.96) A backdoor (also called a trapdoor) is a programming routine built into a system by its designer or programmer. It enables the designer or programmer to bypass system security and sneak back into the system later to access programs or files. (P.96) A blended threat is a security threat that combines the characteristics of computer viruses, worms, and other malicious codes with vulnerabilities found on public and private networks. (P.96) A denial-of-service (DoS) attack floods a network or server with service requests to prevent legitimate users’ access to the system. (P.96) Social engineering means using “people skills”—such as being a good listener and assuming a friendly, unthreatening air—to trick others into revealing private information. This is an attack that takes advantage of the human element of security systems. (P. 97) Biometric security measures use a physiological element that is unique to a person and cannot be stolen, lost, copied, or passed on to others. (P.98) A callback modem verifies whether a user’s access is valid by logging the user off (after he or she attempts to connect to the network) and then calling the user back at a predetermined number. (P.99) A firewall is a combination of hardware and software that acts as a filter or barrier between a private network and external computers or networks, including the Internet. A network administrator defines rules for access, and all other data transmissions are blocked. (P.99) An intrusion detection system (IDS) can protect against both external and internal access. It is usually placed in front of a firewall and can identify attack signatures, trace patterns, generate alarms for the network administrator, and cause routers to terminate connections with suspicious sources. (P. 101) Physical security measures primarily control access to computers and networks, and they include devices for securing computers and peripherals from theft. (P. 101) Access controls are designed to protect systems from unauthorized access in order to preserve data integrity. (P. 102) A password is a combination of numbers, characters, and symbols that is entered to allow access to a system. (P. 103) A virtual private network (VPN) provides a secure “tunnel” through the Internet for transmitting messages and data via a private network. (P. 104) Data encryption transforms data, called plaintext or cleartext, into a scrambled form called ciphertext that cannot be read by others. (P. 104) Secure Sockets Layer (SSL) is a commonly used encryption protocol that manages transmission security on the Internet. (P. 104) Transport Layer Security (TLS) is a cryptographic protocol that ensures data security and integrity over public networks, such as the Internet. (P. 105) A PKI (public key infrastructure) enables users of a public network such as the Internet to securely and privately exchange data through the use of a pair of keys—a public one and a private one—that is obtained from a trusted authority and shared through that authority. (P. 105) Asymmetric encryption uses two keys: a public key known to everyone and a private or secret key known only to the recipient. A message encrypted with a public key can be decrypted only with the same algorithm used by the public key and requires the recipient’s private key, too. Anyone intercepting the message cannot decrypt it because he or she does not have the private key. (P. 105) In symmetric encryption (also called secret key encryption), the same key is used to encrypt and decrypt the message. The sender and receiver must agree on the key and keep it secret. (P. 106) Business continuity planning outlines procedures for keeping an organization operational in the event of a natural disaster or network attack. (P. 108) Instructor Manual for MIS Hossein Bidgoli 9781305632004, 9781337625999, 9781337625982, 9781337406925
Close