Info Systems -- Chapter 4

Factors Increasing the Threats to Information Security

- Today's interconnected, interdependent, wirelessly-networked business environment
- Government legislation
- Smaller, faster, cheaper computers and storage devices
- Decreasing skills necessary to be a computer hacker
- International organized crime tur

Categories of Threats to Information Systems

Unintentional acts
Natural disasters
Technical failures
Management failures
Deliberate acts

Unintentional Acts

Human errors
Deviations in quality of service by service providers (e.g., utilities)
Environmental hazards (e.g., dirt, dust, humidity)

Human Errors

Shoulder surfing
Carelessness with laptops and portable computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
And more

Most dangerous employees

As we are discussing human errors, we should note that the biggest threat to the security of an organization's information assets are the company's employees. In fact, the most dangerous employees are those in human resources and MIS. HR employees have ac

Deliberate Acts

- Espionage or trespass
- Information extortion
- Sabotage or vandalism
- Theft of equipment or information (For example, dumpster diving)
- Software attacks: Virus, Worm, Trojan horse, Logic Bomb, Phishing,
- Alien software: spyware, spamware, cookies

Risk Mitigation Strategies

Risk Acceptance
Risk limitation
Risk transference


Physical controls
Access controls
Communications (network) controls
Application controls

Access Controls

Something the user is (biometrics powerpoints)
Something the user has
Something the user does
Something the user knows - passwords or passphrases
Least privilege

Communication or Network Controls

Anti-malware systems
Whitelisting and Blacklisting
Intrusion detection systems
Virtual private networking
Secure Socket Layer (now transport layer security)
Vulnerability management systems
Employee monitoring systems

Corporate Firewall

An organizational firewall has the following components:
(1) external firewall facing the Internet
(2) a demilitarized zone (DMZ) located between the two firewalls; the DMZ contains
company servers that typically handle Web page requests and e-mail.
(3) a

An untrusted network

in general, is any network external to your organization. The Internet, by definition, is an untrusted network

Downstream liability

occurs when Company A's systems are attacked and taken over by the perpetrator. Company A's systems are then used to attack Company B. Company A could be sued successfully by Company B, if Company A cannot prove that it exercised due diligence in securing

Due diligence

means that a company takes all necessary security precautions, as judged by commonly accepted best practices.

Unmanaged devices

are those outside the control of the IT department. Examples include devices in hotel business centers, customer computers, computers in restaurants such as McDonalds, Paneras, Starbucks, etc.

Lack of management support takes many forms

insufficient funding, technological obsolescence, and lack of attention.

A threat to an information resource

is any danger to which a system may be exposed.

The exposure of an information resources

is the harm, loss or damage that can result if a threat compromises that resource.

A system's vulnerability

is the possibility that the system will suffer harm by a threat.


is the likelihood that a threat will occur.

Information system controls are

the procedures, devices, or software aimed at preventing a compromise to the system.

Shoulder surfing

occurs when the attacker watches another person's computer screen over that person's shoulder. Particularly dangerous in public areas such as airports, commuter trains, and on airplanes.

Social engineering

is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords. Social engineering is a typically unintentional human error on the part of an employee, but it is the resu

Competitive intelligence

consists of legal information-gathering techniques.

Industrial espionage

crosses the legal boundary.

A virus

is a segment of computer code that performs malicious actions by attaching to another computer program.

A worm

is a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.

A Trojan horse

is a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to

A logic bomb

is a segment of computer code that is embedded within an organization's existing computer programs and is designed to activate and perform a destructive action at a certain time and date.

Phishing attacks

use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.

In a distributed denial-of-service attack

the attacker first takes over many computers. These computers are called zombies or bots. Together, these bots form a botnet.


collects personal information about users without their consent. Two types of spyware are keystroke loggers (keyloggers) and screen scrapers.

Keystroke loggers

record your keystrokes and your Web browsing history.

Screen scrapers

record a continuous "movie" of what you do on a screen.


is alien software that is designed to use your computer as a launchpad for spammers. Spam is unsolicited e-mail.


are small amounts of information that Web sites store on your computer.


The probability that a threat will impact an information resource.

Risk management

To identify, control and minimize the impact of threats.

Risk analysis

To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

Risk mitigation

is when the organization takes concrete actions against risk. It has two functions: (1) implement controls to prevent identified threats from occurring, and (2) developing a means of recovery should the threat become a reality.

Risk Acceptance

Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Risk limitation

Limit the risk by implementing controls that minimize the impact of threat.

Risk transference

Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.

Physical controls

Physical protection of computer facilities and resources.

Access controls

Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.

Communications (network) controls

To protect the movement of data across networks and include border security controls, authentication and authorization.

Application controls

protect specific applications.


Major objective is proof of identity.

Something the User Is

Also known as biometrics, these access controls examine a user's innate physical characteristics.

Something the User Has

These access controls include regular ID cards, smart cards, and tokens.

Something the User Does

These access controls include voice and signature recognition.

Something the User Knows

These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily.


Permission issued to individuals and groups to do certain activities with information resources, based on verified identity.

A privilege

is a collection of related computer system operations that can be performed by users of the system.

Least privilege

is a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.


System that enforces access-control policy between two networks.

Anti-malware systems

(also called antivirus software) are software packages that attempt to identify and eliminate viruses, worms, and other malicious software.


is a process in which a company identifies the software that it will allow to run and does not try to recognize malware.


is a process in which a company allows all software to run unless it is on the blacklist.

Intrusion Detection Systems

are designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall.


Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

A digital certificate

is an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.

Certificate authorities

which are trusted intermediaries between two organizations, issue digital certificates.

A virtual private network

is a private network that uses a public network (usually the Internet) to connect users.

Secure socket layer (SSL)

now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking.

Vulnerability management systems

(also called security on demand) extend the security perimeter that exists for the organization's managed devices, to unmanaged, remote devices.

Employee monitoring systems

monitor employees' computers, e-mail activities, and Internet surfing activities.


encrypts each data packet that is sent and places each encrypted packet inside another packet.