Threats to Information Systems
can come from many different sources and can be categorized into two types: unintentional threats and intentional threats.
Unintentional Threats
1.Natural disasters
2.Human threats
3.Environmental threats
4.Physical threats
5.Technical threats that are not deliberate
Natural Disasters
include devastating events such as hurricanes, tornados, floods, earthquakes, and fires. These disasters cause hardware damage and, in some cases, software damage. Damage can include partial or total loss of the information systems and even the infrastruc
Human Threats
Human errors and accidents can lead to system failure. Thus, it is a good practice for organizations to have well-documented policies and procedures for employees to follow to rectify an accident in the event that one occurs. Most of the time, unintention
Environmental Threats
Environmental threats are usually the result of the external conditions in which the system resides.
Physical Threats
Physical threats include things like a cable being cut accidently during construction. This could cause the system to fail or to make communications impossible. Also, power surges or power outages can affect system availability.
Technical Threats that are not deliberate,
Technical threats that are unintentional can also occur in organizations. For example, one type of an unintentional technical threat is system errors or failures that cause the system to become corrupt. One of the more common unintentional technical threa
Human Threats Example
Data Entry Errors, Employee Carelessness, Procedural Errors
Environmental Threats Example
1.Temperature too high
2.Water leaks around IS hardware
3.High humidity
4.No ventilation or poor ventilation
5.Electro-magnetic Interference
6. Hazardous Materials
Intentional threats
Any threat to an information system (IS) is considered intentional if its purpose is to do harm, regardless of the reason. Many of these threats are discovered quickly and can be traced to the perpetrator, while many others go undetected for long periods
Human Threats Intentional threats
All threats that are intentional can be traced to someone or some organization. Those covered here can be traced to a specific person.Most of the intentional threats to information systems involve technical means.
Intentional Technical Threats
1. Unauthorized Access
2.Trojan Horses
3.Back Doors
4.Contamination
5.Eavesdropping
6.Malicious Software Coding
Unauthorized Access
Intrusion, or unauthorized access, is entering systems without authority, usually for the purpose of malicious activity. Examples include Trojan horses, back doors, contamination, eavesdropping, and malicious software coding.
Trojan Horses
Trojan horses are applications that are destructive, but masquerade as legitimate programs. They are usually set to activate on a specific date or as a result of a specific action at a later time. In some cases, they allow a hacker entrance to a system.
Back Doors
Some hackers gain entrance into a system by using improper credentials or holes in programs. When they are in, hackers can do the same type of damage as Trojan horses.
Contamination
Contamination, or intentional improper mixing of data, can corrupt sensitive information. Examples include improper tagging and unauthorized manipulation of information. If websites are contaminated, financial information could be compromised.
Eavesdroping
Unauthorized users can use electronic means to spy on protected data. An example is the use of keystroke-recording software to record entries into systems.
Malicious Software Coding
Malicious software coding enables unauthorized users to make modifications to the system so they can control it.
Malware
Malware includes many types of software viruses.
Examples of Malware
1.Computer Worms
2.Trojan Horses
3.Bootsector Virus
Computer Worms
are replicating bugs that absorb all available space on a computer hard drive. They can be sent to other computers on the network to do the same damage.
Trojan Horses
are also malware.
Bootsector Virus
This virus is found in the boot disk area of the computer and is usually transferred by portable disks inserted into computers.
Other Technical Threats
1.Sniffing
2.Spoofing
3.Pretexting
4.Phishing
5.Communication Threats
6.Spyware
7.Denial-of-Service Attacks
Sniffing
is traveling down a street and intercepting communications over unprotected wireless networks.
Spoofing
is pretending to be someone else by using the person's IP address to obtain personal information.
Pretexting
is pretending to be someone else to acquire personal information. Examples include scams that are done over the phone, which often target vulnerable people.
Phishing
occurs when people use pre-texting via email. One of the most popular examples is to send an email to someone that appears to be from a financial institution
Communication Threats
threats are present when using email and other forms of electronic communication. They are also known as unauthorized data disclosures. For example, there is the possibility of someone sending private data to an unauthorized outside source, potentially je
Spyware
are programs that are transferred to a computer and then used to monitor the activities on the computer. The main purpose of spyware is to capture personal financial information.
Denial-of-Service Attacks
Denial-of-service attacks occur when someone brings down an organization's computer system so it cannot communicate with its customers. An example of this occurred when a customer was not happy with the way a firm responded to his problem. He wrote a soft
Security Plans
Good security plans take into consideration all system components. When potential security threats surface, a good organization learns to manage the risks and tries to minimize the damage.
There are five components of an information system, and organizati
There are five components of an information system
1. Hardware
2. Software
3. Data
4. People
5. Procedures
Hardware Security
*The first thing an organization must consider in a security plan is the physical security of the computer hardware.
*All hardware should be kept in a safe and secure place that remains locked at all times. This is especially true for the servers and hard
Software Security
Software security begins with proper authority to access the applications and programs on a system. Organizations should require the use of proper user IDs and passwords to help prevent unauthorized access to a system. Whenever new software applications a
Keeping software secure:
1.Authentication of User
2.Software Firewalls
3.Malware Protection
Authentication of User
Every system should require users to enter their identification and a secure password to gain access. More recent types of software security include the use of smart cards and biometric authentication:
Smart cards contain a magnetic strip that includes au
Software Firewalls
help keep intruders from accessing system software by filtering both inbound and outbound communications that are not validated.
Malware Protection
Malware includes computer viruses and worms. It can be controlled by using good antimalware protection like the following:
Installing antivirus software programs on the organization's systems, including antispyware software
Updating antivirus definitions
Data Security
Organizations that rely on confidential information must go to great lengths to protect that data. This is usually the responsibility of the information system (IS) department. Because data are contained in a database, the database administrator is usuall
Data Security Data Back ups
One of the most important security measures in storing data is to ensure periodic backups are made. It is not uncommon for organizations to back up data on a daily, weekly, monthly, and yearly schedule. If something ever goes wrong and data becomes corrup
Data Security Correct Data Rights
Assigning users the correct data rights necessary to do their jobs is also critical for data security. Users in an organization should only have the ability to change or modify data for which they are directly responsible. Users who only need to see the d
People Security
People are the most important component of an IS. People use the system to manage data, and they are responsible for following the procedures to run the systems. Without the people component there would be no need for an IS.
People Security includes
1.Security during the Hiring Process
2.New Employees
3.Seasoned Employees
4.Procedures Security
People Security During the Hiring Process
Ensuring security with regard to people begins during the hiring process. Appropriate interviews, reference checks, and background checks are all part of a good screening process when hiring employees who will be using the organization's computer resource
People Security New Employees
When hired, new employees should receive proper credentials to allow access to the databases needed to accomplish their jobs, including read-only and modification authority for only those parts of the databases for which they are responsible. New employee
People Security Seasoned Employees
Employees should be expected to follow security procedures when handling computer resources. When security breaches happen, it is important that management investigates them and then enforces the security policies and procedures by appropriately admonishi
People Security Procedures Security
Procedures security is closely tied to people security. Procedures for users to follow should be written by professionals with help from the IS department. Organizations should ensure that all employees follow strict written procedures when using a databa
Computing Resources Security
Organizations depend on the security of their information systems and the data they use.
Computing Resources Security Examples
1.Confidentiality
2.Integrity
3.Authentication
Computing Resources Security Confidentially
The organization needs to ensure that only those employees who are authorized to use information have access to it.
Computing Resources Security Integrity
The data in the system should always be the correct data (accurate and uncorrupted)
Computing Resources Security Authentication
The data and its source should be verifiable.
Data and Data Loss
Data are raw facts that, when processed and manipulated in a database, become meaningful information. Data are contained in an organization's database.
Data and Data Loss Examples
Collecting Data, Data Backup
Collecting Data
Companies that depend on their information for survival often consider data their most valuable asset. The ability to collect data and use it for making business decisions gave birth to the Information Age. Digital data are growing at a rate of more than
Data Backup
ata restoration is a process that recreates data that have been lost. This process can only happen if the organization has stored copies of its data, usually offsite. How often should an organization back up its data? It depends. If the organization is a
Data Backup Technologies
There are numerous data backup techniques organizations use to protect their data. The methods an organization uses depend on its size, the importance of the data, and the amount of data to back up. Regardless of the data backup methodology used, all orga
Data Backup Technologies Examples
1.Optical Media
2.Semiconductor
3.Magnetic Tape
Data Backup Technologies Optical Media
Firms can use optical media�DVDs and CDs�to back up relatively small amounts of data. The advantage of this medium is the ability to store the backups both onsite and offsite safely and easily by using numerous copies. Data can also be restored quickly by
Data Backup Technologies Semiconductor
Semiconductor data storage consists of nonvolatile memory chips. One of the most popular types is the Flash drive. These drives can accommodate data storage for small- to medium-size firms. This type of storage is fast but expensive.
Data Backup Technologies Magnetic Tape
Using magnetic tape to back up data was the preferred method for large organizations for many years until more modern techniques were introduced. Magnetic tape data storage is inexpensive but slow compared with most other means.
Online (or Cloud) Data Storage
Many organizations use cloud data storage, which is provided by third-party firms that specialize in online data storage. The many benefits of online/cloud data storage include the following:
Unlimited capacity for storing data
No computer infrastructure
Disaster Recovery
A data disaster for an organization is any event that causes systems to crash or lose data. Disaster recovery refers to what organizations can do to bring their systems and data back online. This includes returning the system and data to their predisaster
Disaster Recovery Examples
1.Concept of Disaster Recovery
2.Importance of Disaster Recovery Plans
Concept of Disaster Recovery
The concept of disaster recovery developed during the late 1970s and early 1980s as computer systems began playing a major part in business operations. As more organizations adopted cross-functional business systems with real-time processing, the disaster
Importance of Disaster Recovery Plans
Every organization must be able to recover from a disaster. Statistics show that more than 80% of organizations that lose their systems or data and cannot recover from the loss will go out of business within three years. In fact, almost 50% never reopen t
Objectives of a Disaster Recovery Plan
The main objectives of a disaster recovery plan are minimizing the financial risk of a disaster and getting systems up and running as quickly as possible. Other objectives of a good disaster recovery plan include the following:
Objectives of a Disaster Recovery Plan Steps
1.Decrease risk of disaster
2.Reduce probability of disaster
3.Reduce insurance premiums
4.Protect assets
5.Reduce dependence on human decision making after 6.a disaster
7.Continue organizational stability
8.Improve employee safety
Creating a Disaster Recovery Plan Steps
1.Create the Disaster Recovery Plan Committee
2.Conduct the Risk Analysis
3.Identify Recovery Options
4.Create a Disaster Recovery Plan Strategy
Create the Disaster Recovery Plan Committee
The organization must create a DRP committee. Committee members should be selected from across the entire organization and should include a number of IT professionals. The purpose of this committee is to develop and administer the DRP.
Conduct the Risk Analysis
The committee analyzes each functional area of the organization and examines the impact that a disaster would have on each area. Every conceivable type of disaster should be identified and included in the analysis. The analysis report should include the i
Identify Recovery Options
The committee should identify recovery options for each function area of the organization affected by the disaster, including the critical time frame of recovery needed, the resources required to complete recovery, and the impact that lost data might have
Create a Disaster Recovery Plan Strategy
Next, the committee should research, evaluate, and choose the best option for recovery for each situation and disaster. The committee must then create the necessary steps to follow for recovery. Each scenario should include the following:
A list of key co
Develop the Disaster Recovery Plan and Procedures Model
The committee must write a manual containing the policies and procedures that should be followed to recover from a disaster. The DRP policies and procedures manual should be reviewed by each functional department and by top management. The written manual
Test the Disaster Recovery Plan
In much the same way that fire departments conduct real-life tests and cities conduct emergency drills, the disaster recovery plan should be tested. The time required for management and employees to conduct the test is a small price to pay if a real disas
Review the Disaster Recovery Plan
Each department in the organization should review the DRP so all employees and management are aware of their responsibilities if a disaster strikes. The committee should meet periodically to review the plan and make updates and any needed changes.
Disaster Recovery Mistakes
No organization is perfect. In fact, many mistakes have led to improved management techniques and decisions. Organizations that learn from their mistakes and take steps to avoid them in the future tend to be successful.
Disaster Recovery Mistakes
1.Improper Planning
2.Lack of Top Management Support
3.Lack of Proper Testing
4. Noninvolvement
Improper Planning
if organizations do not plan properly and take shortcuts to recovery, they are ill prepared to recover from a disaster.
Lack of Top Management Support
if a DRP does not have the support of top-level management, then it risks failure or little success
3.Lack of Proper Testing
A good plan is important, but what if it is never practiced? Without practice, employees are unsure of what to do in the event of a disaster. Organizations must conduct disaster recovery plan testing.
Noninvolvement
If the organization does not require the support of every functional area and the IT department, it risks an inadequate response if a disaster occurs.