26/06/2024
Lecture 5:
Information Systems
Security
ISIT224 Management Information Systems
Lecture Outline
• Identify the factors that contribute to the increasing
vulnerability of information systems
• Discuss the common types of security threats
• Risk management process
• Identify the types of security controls
– Physical controls
– Access controls
– Communication (network) controls
1
� 26/06/2024
• StarHub: Cyber attacks that caused broadband outages came from
customers' infected machines
• https://www.straitstimes.com/tech/starhub-cyber-attacks-that-
caused-broadband-outages-came-from-customers-infected-
machines
Information Systems Security
• Why security is an important issue for information systems?
– When large amounts of data are stored digitally, they are
vulnerable to many more kinds of threats than when they
were stored in manual form.
– When data are available over a network, there are even
more vulnerabilities.
• All of the processes and policies designed to protect an
organization’s information and information systems from
unauthorized access, use, disclosure, modification, or
destruction
2
� 26/06/2024
Security Threats
Internet Security Challenges
• Network open to anyone
• Size of Internet means abuses can have wide impact
– E.g., the use of fixed Internet addresses with cable / DSL
modems creates fixed targets for hackers
– E.g., unencrypted VOIP creates targets for hackers interception
– E.g., e-mail, P2P, IM
• Attachments with malicious software
• Got interception when transmitting trade secrets
The picture can't be display ed.
3
� 26/06/2024
Wireless Security Challenges
• Radio frequency bands easy to scan
• SSIDs (service set identifiers)
• Hackers use many tools to detect
unprotected networks, monitor network
traffic, and, in some cases, gain access to
the corporate networks or information
systems
– stronger encryption and authentication
systems available for wireless networks but
users must install them
– many Wi-Fi routers today with pre-installed
security protection
The picture can't be display ed.
Wireless Security Challenges
The service set
identifiers (SSIDs)
identifying the access
points in a Wi-Fi
network are broadcast
multiple times (as
illustrated by the
orange sphere) and can
be picked up fairly
easily by intruders’
sniffer programs.
4
� 26/06/2024
Wireless Security Challenges
• War driving
– Eavesdroppers drive by buildings and try
to detect SSID and gain access to network
and resources
– Once access point is breached, intruder can
gain access to networked drives and files
• Rogue access points
– A wireless access point installed on a
wired enterprise network without
authorization from the network
administrator
– Experiment at the RSA Conference 2017 in
San Francisco
– Implement a Wireless Intrusion
Prevention System (WIPS) with The picture can't be display ed.
automatic prevention turned on
9
Software Attacks
• Occur when malicious software (malware) penetrates an
organization’s information systems
• Virus: performs malicious actions by attaching to computer
program
• E.g., the Friday the 13th virus: lays and wait until Friday the 13th,
deletes all the files, and applications, and documents opened on
your machine
• E.g., the Melissa virus: sends out infected Word documents from
Microsoft Outlook; has caused more than $1 billion of damage
10
5
� 26/06/2024
Software Attacks
• Worm: replicate, or spread, by itself (without requiring
another computer program)
• Have network awareness: use shared drives and shared
folders to propagate from one machine to another
• Once on a machine, it will use up all the CPU cycles,
memory, bandwidth, and thereby, slow down the machine
and the networks on which that machine is operating
• Trojan horse: with a hidden intent to open backdoors
• Appear in the form of (e.g., a beautiful screensaver that you
want to download), once on your machine, deletes files and
opens up a backdoor for hackers to take administrative
control of your machine
• Typically cannot self-replicate; relies on tricking users
11
Software Attacks
• Botnets: a network of infected
computers by worms or Trojan
horses, which can then be used to
launch simultaneous attacks
– Users are first tricked into installing
some form of worms help the malware
propagate to other network machines
– Trojan horse opens up a backdoor for
the attacker to control these machines
• Are often employed by attackers to
spread spam and to launch
distributed denial of service attacks
(DDoS attack) on a target machine
12
6
� 26/06/2024
Software Attacks
• Denial-of-Service (DoS) Attack
– Attacker sends a flood of data packets to the target computer,
which the aim of overloading its resources
• Distributed Denial-of-Service (DDoS) Attack
– Attacker sends a flood of data packets from many compromised
computers simultaneously
13
Identity Theft
• Phishing
– An attempt to trick you into giving up your personal
information by pretending to be someone you know
• Spear Phishing
– Target a specific person or organization by personalizing
the message
– E.g., information of ourselves disclosed online through
Facebook or through e-commerce sites
14
7
� 26/06/2024
Identity Theft
91% of cyber attacks in 2017 started
with a phishing email.
15
Password Cracks
• Reverse calculation is usually used to crack user passwords
• Security Account Manager (SAM) file contains a hashed
representation of users’ passwords
– Hashing is a mathematical way of taking any set of
characters of arbitrary length, and mapping it into a fixed
number of characters
• System administrator can use this file to restore forgotten password
• But what if a hacker has the SAM file? what can they do with it now?
16
8
� 26/06/2024
Password Cracks
– How to crack it: try out all possible combinations of
characters and words
• Brute-Force Attack
– Repeated guessing
– Prevention: limit attempts per period
• Dictionary Attack
– Use dictionary words
– Prevention: use non-words, digits, special
characters
17
Click Fraud
• Occurs when an individual or computer program
fraudulently clicks an online ad without any
intention of learning more about the advertiser or
making a purchase.
• Pay-per-click online advertising
18
9
� 26/06/2024
Internal Threats: Employees
• Company insiders pose serious security problems.
• Social engineering is to trick employees into
revealing sensitive information by pretending to be
legitimate members of the company in need to
information.
• Errors can be introduced into information systems
by users and systems specialists.
19
Protection Mechanisms
10
� 26/06/2024
Security Risk Management
• Goal of risk management
– To identify, control, and minimize the impact of threats
– To reduce risk to acceptable levels
• Security risk
– The probability that a security threat will impact an
information systems
• Risk management process
– 1. Risk analysis
– 2. Risk mitigation
– 3. Controls evaluation
21
1. Risk Analysis
• Three Steps
– Assessing the value of each asset being protected
– Estimating the probability that each asset will be
compromised
probable costs of the asset’s being compromised
– Comparing the probable costs of the asset’s being
compromised with the costs of protecting that asset
22
11
� 26/06/2024
1. Risk Analysis
• Example
– Assume that the probability of a major power outage in a
given year is 7 percent. The chance of your computer
centre being damaged during such the outage is 5 percent.
– If the centre is damaged, the average estimated damage
will be 4 millions.
• Calculate the expected loss in dollars.
– Expected Annual Damage = 0.07 * 0.05 * $4,000,000 =
$14,000
• An insurance agent is willing to insure your facility for an annual
fee of $25,000. Analyse the offer, and discuss whether to accept it.
– Insurance is costing more than the expected damage. Should
refuse the offer.
23
2. Risk Mitigation
• Risk defense
– Prevent the exploitation of the vulnerability by means of
countering threats, removing vulnerability, and adding
protective safeguards.
• Risk transference
– Transfers the risk by using other means to compensate for the
loss (e.g. insurance)
• Risk limitation
– Limits the risk by implementing controls that minimize the
impact of the threats
• Risk acceptance
– Accepts the potential risk, continues operating with no controls,
and absorbs any damages that occur
24
12
� 26/06/2024
3. Controls Evaluations
• Examines the costs of implementing adequate control
measures against the value of those control measures
• Defense-in-Depth
– Employ multiple layers of controls in order to
avoid having a single point of failure
• Preventive control: security policy on actions
• Detective control: to identity when preventive controls
being breached
• Corrective control: to repair damage and to improve
above controls
25
3. Controls Evaluations
• Time-based Model of Security
– Evaluates the effectiveness of an organization’s
security
• P(t) = Time it takes an attacker to break through the
organization’s preventive controls
• D(t) = Time it takes to detect that an attack is in
progress
• C(t) = Time it takes to respond to the attack
• If P(t) > D(t) + C(t), then the organization’s security
procedures are effective
26
13
� 26/06/2024
Example: Controls Evaluations
• XYZ Company evaluates its security procedures with the
following outcomes:
– Estimated time for intruder to successfully penetrate
system = 22 minutes
– Estimated time to detect an intrusion attempt and notify
appropriate security staff = 15 minutes
– Estimated time to analyze detected intrusion attempts and
implement corrective actions = 6 minutes
• Are the security procedures of XYZ Company effective? Why
or why not?
– Yes, 22 mins > 15 mins + 6 mins
27
Example: Controls Evaluations
• Time-based Model of Security: Provides a means for
management to identify the most cost-effective approach to
improving security
– Suppose XYZ Company is considering the investment of $100,000 to
enhance security:
• Option 1: Invest $50,000 to purchase a new firewall that would
decrease the estimated time to successfully penetrate the system by
10 minutes
• Option 2: Invest $35,000 to upgrade the intrusion detection system
that would reduce the time to detect an intrusion attempt and notify
appropriate security staff by 3 minutes
• Option 3: Invest $25,000 in new methods for responding to
computer security incidents so as to reduce the time required to
analyze detected intrusion attempts and implement corrective
actions by 1 minute
– Which options would you recommend? Why?
– If you could do only one, which would you recommend? Why?
28
14
� 26/06/2024
Information Systems Security Controls
29
Access Controls
• Authentication: a process that determines the identity of the
person requiring access
– knowledge factor: E.g., password, PIN, pattern
– ownership factor: E.g., smart card, mobile phone, security
token
– inherence factor: E.g., fingerprints, retina scans, iris
recognition
• Authorization: a process that determines which actions, rights,
or privileges the person has, based on verified identity
15
� 26/06/2024
Access Controls
• Authentication
– Two-factor authentication
• Involves two of the authentication factors
– CAPTCHA
• Completely Automated Public Turing test to tell
Computers and Humans Apart
• Test to determine whether the user is human
31
Communications Controls
• Antivirus software
– Software packages that attempt to identify and eliminate
viruses, worms, and other malicious software
• Symantec (Symantec Security Response)
• McAfee (McAfee Virus Information)
• Data files must be updated regularly
– Recognize and eliminate newest viruses
• Some Web e-mail systems:
– Provide and update antivirus software
• Used to scan attachments before downloading
– Example: Gmail, Yahoo mail
32
16
� 26/06/2024
Communications Controls
• Firewall
– A system (hardware, software, or both) that prevents a specific
type of information from moving between untrusted
networks (e.g., Internet) and private networks (e.g., Intranet)
33
Encryption
• Dbo zpv sfbe uint? Can you read this?
• Cryptography: the process of converting an original
message (plaintext) into a form that cannot be read
(ciphertext) by anyone except the intended receiver.
– Encryption & Decryption
• Time of Julius Caesar: alphabetic cipher or Caesar cipher
• By shifting the alphabet by a fixed keys down the alphabet list
34
17
� 26/06/2024
Encryption
• The use of encryption to ensure that data traveling
along networks cannot be read by unauthorized users
– Symmetric key encryption
• Sender and receiver use single, shared key
• Same key for both encryption of plaintext and
decryption of ciphertext
– Asymmetric (public) key encryption
• Uses two, mathematically related keys: public key and
private key (in pair)
• Sender encrypts message with recipient’s public key
(kept in a directory)
• Recipient decrypts with his/her private key (kept in secret)
35
Symmetric Key Encryption
Private Private
Key Key
• For a 56-bit private key, can be cracked by a hacker in about
400 seconds by brute-force methods
• Longer and stronger: increase to 256-bits, about 10 to the
56 years
36
18
� 26/06/2024
Encryption
• Time of cold war: One Time Pad
– Containing sequences of randomly generated numbers that
would be used for encryption
– 26 letters in the Alphabet; Each alphabet can be substituted by one of the
26 possible combinations
– E.g., 7-letters word: 26 multiplied 7 times = more than eight billion
possibilities; Very hard to crack it by brute force
37
Asymmetric Key Encryption
Public Private
Key Key
• Good for confidentiality, but how can we authenticate?
What if someone is pretending to be Alice using a different
public and private key pair?
38
19
� 26/06/2024
Digital Certificate
• Issued by a Certificate
Authority
• Associates a public key
with an
individual/company
• To help with
authentication
The picture can't be display ed.
39
Digital Certificate
• A Certificate Authority, CA verifies user’s identity,
stores information in CA server, which generates
encrypted digital certificate
• containing owner ID information
• and copy of owner’s public key
• Often a trusted third-party organization. Examples:
– DigiCert
– VeriSign
• Companies can also have an in-house CA
The picture can't be display ed.
40
20
� 26/06/2024
Digital Certificate
• Digital certificates help establish the identity of people or
electronic assets. They protect online transactions by
providing secure, encrypted, online communication.
The picture can't be display ed.
41
Public Key Infrastructure (PKI)
• Public key infrastructure (PKI)
– A two key (asymmetric) encryption system for
communication
– A framework not a specific technology
• Universal infrastructure that can work across
multiple systems and vendors
• Widely used in e-commerce, internet banking and
confidential email
– Provides confidentiality and authentication
• Confidentiality: encrypts data transmissions
• Authentication: confirms the owner of the keys using
Digital Certificates
42
21
� 26/06/2024
Digital Signature
• The roles of the encryption and decryption keys can be
reversed by attaching that signature to a message, the sender
can mark the message as being authentic
– A “signed” cipher text accompanying a message which
identifies and authenticates the sender and message data
using public key encryption system
• Sender encrypts the message with
her own private key (a digital
signature) to receiver
• Receiver decrypts the message
using sender’s public key,
verifying that the message indeed
comes from sender The picture can't be display ed.
43
SSL and S-HTTP
• Two methods for encryption on networks
– Secure Sockets Layer (SSL)
• Goal: secures connections between two computers
– Secure Hypertext Transfer Protocol (S-HTTP)
• Goal: send individual messages securely
• Secure Socket Layer (SSL)
– SSL protocols enable two parties to identify and
authenticate each other and communicate with
confidentiality and data integrity
– e.g., e-commerce transactions and online banking
44
22
� 26/06/2024
Establishing an SSL session
• Each new connection
between client and secure
server beginning with
handshake
• After secure session
established:
Public-key encryption
no longer used
Message transmission
protected by private-key
encryption
Session key (private
key) discarded when
session ends
45
S-HTTP (Secure HTTP)
• An extension to the Hypertext Transfer Protocol (HTTP)
that allows the secure exchange of files on the World Wide
Web
– For a given document, S-HTTP is an alternative to Secure Sockets
Layer (SSL)
– A major difference is that the protocols adopt different philosophies
towards encryption, with SSL encrypting the entire
communications channel and S-HTTP encrypting each message
independently
• SSL has become:
– More generally accepted standard over S-HTTP
– Widely deployed security protocol and supported by almost all
browsers
46
23
� 26/06/2024
Virtual Private Network (VPN)
• Virtual Private Network (VPN): A private network
that uses a public network (usually the Internet) to securely
connect users by using encryption
– Tunneling: A process that encrypts each data packet to be sent
and places each encrypted packet inside another packet
47
Business Continuity Planning
• To be prepared
– The purpose is to provide guidance
– The objective is to restore the business to normal
operations
• Strategies for business continuation
– Hot sites
– Warm sites
– Cold sites
48
24
� 26/06/2024
Information Systems Auditing
• An internal auditing is frequently performed by corporate
internal auditors.
• An external auditing is frequently performed by a
certified public accounting firm.
• Guidelines available from the Information Systems Audit
and Control Association (www.isaca.org)
• How is auditing executed?
– Auditing around the computer
– Auditing through the computer
– Auditing with the computer
49
Summary
• Types of security threats
• Risk management process (1. risk analysis; 2. risk
mitigation; 3. controls evaluation)
• Types of controls that organizations can use to
protect their information resources
– Physical controls
– Access controls
– Communication (network) controls
50
25
