Chapter 19 Information Systems Security

Chapter 19 * Information System Security * Bob Travica ©

Chapter 19

Information Systems Security This chapter discusses security of information systems. The importance of this topic has increased in recent time because threats to data, software and hardware have become more frequent and impactful. There are threats with a longer history, such as theft of storage media, and later entrants, such as sniffing communication channels, and various malicious software. There are also some new threats arising with the global spread of the Internet, such as ransomware. Security threats come from both within and outside an organization. There are effective protections from most of the threats. Although security costs money, keep in mind that insecurity costs more. The following discussion will explain both the threats and the associated protections. Security Threats – Something Old, Something New Security threats are an old issue that has been evolving over time. Data theft has been a security threat since the first days of computing. An employee could steel a piece of electronic storage for personal interest. This threat is still around, except that now there is a possibility of accessing stored data via a company’s computer network. In principle, this escalates the theft threat because the number of potential attackers increases. The network-enabled access to IS has become a standard. The companies use private computer networks that are more secure than the public Internet. Still, the Internet is part of business as the main technological platform for B2C e-commerce. Therefore, using the Internet is a must today. Since anyone can use the Internet, this increases the chances that malicious parties may hide among the normal Internet users. Attackers on IS may come from the groups of computer experts as well as less proficient users. The Internet levels the playground. Attackers have a whole variety of weapons at their disposal. IS security has similarities with security in other domains. Family members living in a house, need to make sure that their home is locked when it is vacant, windows closed, and perhaps the alarm set. A car and even a bicycle should be secured by locking when these pieces of property are unattended. The same principle applies to IS, albeit with a twist: IS security has to be attended to continually, regardless of the current presence or absence of the IS user/manager. Still, there are effective protections for most of the threats, and appropriate management is about maintaining the protections and monitoring continually IS security. In other words, although the present IS security threats are significant, prudent management of IS security is capable of blocking the threats and enabling a smooth operation of business.


Figure 1 represents common IS security threats thought the metaphor of home security. Subsequent sections will discuss each of these along with their associated protections.

Figure 1. Common Security Threats to Information Systems

Sniffing Sniffing refers to to listening to a communication channel, which is performed by an uninvited party. The old landline telephone channel could be wiretapped simply by connecting a wire of a rogue phone controlled by the sniffer to the wire that is sniffed. This method was used in industrial espionage and outside of the business domain as well. A wired computer network is also vulnerable to sniffing. A rogue computer within a local area network, which is equipped with a network card and appropriate software, can become a sniffer of the network traffic. The Internet traffic can also be sniffed. In the present age of wireless communications, the attention is keenly focused on security of the WiFi and of cell phone channels. The WiFi communications are vulnerable to sniffing. Open access WiFi networks, which do not require password access, are the most exposed. A laptop, which is placed within the open WiFi and armed with some freely available software for packet sniffing, can sniff all the traffic transpiring between the local laptops/cell phones and the network’s hotspot. Cell phone calls are also exposed to sniffing. The risk arises from the possibility of intercepting signals sent from a cell phone to the transmitter (also called network tower) serving the local area (the cell). Since the cell phone network works with digitized radio waves, a sniffer technology would include antennas for capturing these waves and some computing equipment. Even though the cell signals may be encrypted (jammed) in order to block sniffing, weaker encryption can be automatically broken (more below). Therefore, a rogue tower within the range of a network cell can intercept and listen to the cell phone calls.


Protections from Sniffing

Encrypting messages protects against sniffing. The basic idea behind encryption is that the content is jammed into illegible format by using some programming method. For example, the message “Hi, how are you” can be encrypted into something like “Ij, ipx bsf zpv”. Try to move each letter one position up in the alphabet, to understand the encryption method applied. By doing this, you have

decrypted the text. Of course, encryption methods are much more complex. Recall that everything a computer does is based on manipulating binary numbers that consist of combinations of zeroes and ones. Therefore, an encryption algorithm (rule) can perform mathematical operations on each character to make it more difficult to crack. For example, it can add a number to the binary number representing a letter in the message, subtract, multiply the sum, divide the result by some number, and so on. The longer the rule, the stronger the encryption. For that reason, the strength of an encryption key is measured in bits. For example, the early encryption key DES (Data Encryption Standard) was 56 bits-strong, while the Twofish key developed later is 256 bits-strong. There are two methods of encryption – single key and double key encryption. The single key method uses the same piece of software for both encryption and decryption (see Figure 2/A). As both the sender and the receiver are using the same key, this is also called a symmetric technique. It requires that the encryption/decryption software runs on both the sender’s and receiver’s machine. The key is private to the parties sharing it. Examples of this key are DES and Twofish cited above, used in Internet communications. For cell phone communications, users can apply single key encryption with support of security application software (e.g., the Signal app that works both at Android and iOS telephones).

Figure 2. Encryption Methods

In contrast, the double key encryption uses two different pieces of software on the sender and receiver side, which are related like two halves of the same whole (Figure 2/B). One is the public key and the other private key. That is why this is an asymmetric method. The public key of a receiver is available to any sender engaged with that receiver. The sender encrypts a


message with the receivers’ public key, and the receiver decrypts the message with its private key which matches its public key. The double key encryption process looks like this:

1. Sender contacts Receiver 2. Receiver transfers its public key to Sender 3. Sender encrypts a message with Receiver’s public key 4. Receiver decrypts the message with its private key matching its public key.

There is just one instance of the private key and it is in possession of the receiver. That is why anyone intercepting the jammed message will not be able to makes sense of it. To make communication even more secure, it can be encrypted on the receiver’s side as well. Sender would transfer its public key to the receiver first, and then all the messages from the receiver back to the sender would be encrypted as well. Assume that the sender is a consumer accessing an online store that is in the role of receiver. Communication flows between sender’s Web browser (client) and the receiver’s Web server (a computer that serves Web pages upon the client’s requests). You know that the channel is secured when you see that the link name of the receiver start with the “https” (HypertText Transfer Protocol Secure, note the letter “s” as the addition to the term “http”). In other words, the receiver will send its public key to the sender initiating communication. When you do not see that “https”, you can assume that the communication is not automatically secured. The level of security varies with the communication standard used. Today’s de facto standard for e-commerce and other business communication is the double-key encryption standard called Advanced Encryption Standard (AES). Its strength is in the range from a 64 bits key to a 256 bits key. The 256 bits key ensures perfect security for the time being. For mobile

communication, encryption standards (also called ciphering) vary across the globe from the latest fourth generation GSM (Global System for Mobile Communications 4G) protocol to previous generations of GSM (3G and 2G). The more recent GSM standards have a stronger encryption that the earlier standards. In business, the security keys are administered by a certification agency or authority (e.g., VeriSign). It maintains the latest version of keys and registers organizations that communicate via the Internet. A certification agency licenses the keys on the annual basis. This is usually done in the form of digital certificate (Figure 3). A digital certificate contains the public key and identifying details of the owner (issuer), such as a digital signature (a unique sequence of characters). Separately

form a digital certificate, the lessee also gets a private key matching the public key.

Figure 3. Digital Certificate


Malware The term malware comes from two words in their shortened versions - malicious and software. Malware can harm data, application software, operating system (part of system software), and even hardware (in the case of an operating system’s serious failures). Malware comes in various forms, ranging from computer virus (the historically first) to adware that today poses as a major nuisance. These forms vary in the level of threat to IS security. For example, a virus can destroy everything inscribed on a hard disk, while adware does not destroy anything but irritates the user with automatically spawning odd windows. Computer Virus Computer virus (virus) is a very dangerous kind of malware that impairs or destroys data and software. A legend is that virus was born out of an innocent game between skilled computer programmers. Sitting idle in the office without an immediate task to attend to, programmers invented a new game. Its goal was to create a piece of software that would destroy the opponent’s files. The winner, a brilliant software engineer, became the father of computer virus. The name of this threat draws on a parallel with living organisms. A biological virus attacking a live being (human, animal) tends to attach itself to a feeding basis that enables its reproduction. The presence of biological viruses impairs or blocks normal life functions. A computer virus works in a similar way. The virus gets into an IS or on a computer usually via e-mail attachments, Internet downloads, Websites, removable computer storage media, and public computer facilities that are virus-infected, to name a few frequent inroads. Viruses can inflict various troubles. For example, a virus can affect a file allocation table, that is, a map of directories and files on a hard disk. In effect, the newly created paths will not lead to the desired directories and files. Although just the disk map is destroyed rather than data files and software, the disk is made useless. The remedy is usually to reformat it. In the case that no full disk backup exists, the user suffers a loss. Another kind of virus can permanently reside in RAM. Every piece of application software that gets into the RAM becomes infected. The same may apply to data files. Then, depending on what sort of destruction the virus is programmed for, problems start happening. A virus could disable some functionality in particular application software (e.g., the save function may be inaccessible), or it can make certain functions work erratically (say, errors in spreadsheet processing may be the result). Another kind of virus can rewrite data in a file with some characters or it can simply delete the whole file. In the case of rewriting, the file size may not indicate any change, so the user may be unaware that the virus is present. Some viruses distributed through the Internet wracked a havoc on hundreds of thousands of computers.


Protection from Virus Antivirus software provides the protection against viruses. Antivirus software has a capability of recognizing a virus at the point of entry and blocking it by putting it in a quarantine folder to be deleted. While the delete function supported by any operating system may be blocked by the virus, good antivirus software is immune of such blocking.

Note that there are many antivirus solutions available, some being freeware. However, not many antiviruses are truly effective. Such software is continually adjusted to the evolution of viruses, works on a deep level close to the operating system, and updates itself automatically to protect the host computer in the 24/7 mode. When you shop for antivirus, you do not want to go cheap. Your decision rule better be - security before the cost!

Computer Worm and Protection Computer worm is a form of malware that replicates itself and thereby overuses computing resources and impairs computer functioning. Typical examples of the impairment are a decrease in the processing speed, and screen freeze. Because its main function is to get replicated, the worms are programmed to spread via computer networks. They exploit security holes and attach themselves to the components of a communication channel, routers, and network adapters (the interface between the network and a computer). Then, a worm penetrates the computer storage. Every time the computer is powered up, the worm replicates itself. In general, worms operate on a broader frontline than viruses. Besides the typical impact on the IS speed, powerful worms can do more serious damage. This includes blocking a weak antivirus software, which opens up the door for other security threats. Some worm attacks slowed down huge segments of the Internet. Effective antivirus software again comes as the best protection against worms. It must be regularly updated with new worm definitions and used for scanning network servers, network components, and client computers. Access points to a corporate networks can also be protected by a firewall (more below). Trojan, Adware, and Spyware Trojan is a form of malware that blocks system security functions, thus opening doors for the intrusion of other malware. Sometimes, trojan software is classified as a worm. The name derives the origin in the old Greek myth about the city of Troy. Greek army sieged the unconquerable city for years until it occurred to them to try out a slick trick. They built a large


wooden horse on wheels, boarded a group of soldiers in it, and left it before a gate of Troy. Naïve Trojans rolled the horse into the city, the Greek soldiers went out at a convenient hour, opened the city gate, and the Greek army rushed in to finally take Troy. For trojan malware, the gate to a computer is email attachments, malware carrying Websites, and Internet downloads. The user may be unaware of a trojan presence as long as some other malware does not show up owing to the computer’s dropped defenses. Trojans can be deleted with the software that usually protects against viruses as well. Adware is a form of malware that calls up unwanted ads in pop-up or pop-under windows. It uses the browser software to copy itself on a computer. Every time the browser runs, adware calls up a servers on the Internet that sends back advertising messages. New windows pop up or under the current window when the same browser is used. Adware activation can be based on keywords appearing in a page the user gets rendered on the screen (for example, “shoes”). Then, adware can fetch ads for shoes and display them in the newly spawned windows. The adware may be programmed to create yet a new ad window if the user clicks on the button for killing the current window. The solution is in closing the browser. But this does not eliminate the adware. It must be cleaned up with the software that usually protects against viruses as well. Adware does not produce damaging effects but rather obstructs the normal work that uses a browser, which is very common in present time. Thus, it is better to deal with adware sooner rather than later. Spyware is a form of malware that performs surveillance over a computer for the sake of some uninvited party. It can record the user's activities, such as the files worked on, read the file content, and report all this to an external party. Needless to say that data can be private, such as login credentials, bank account numbers, customer records, trade secrets, and the like. Antivirus software can detect and delete spyware. False Identity False identity (phishing, spoofing, social engineering) is an IS security threat in which an attacker misrepresents himself as a legitimate party to mislead the victim to compromise IS security. A phishing schemer pretends to be a company or a person that he/she is not, such as an online shop, bank, tax authority, IS manager/operator, a heir to inherited wealth, and so on. The attacker’s goal is to get personal data from the victim – credit card numbers, banking account access, and such. Another goal of false identity scheming is to make the victim access or download some malware. With the global spread of the Internet, phishing has engaged international players on both the attacker and victim side. The best defense against phishing is logical – vigilance and caution. You should never visit the websites that you are invited to by unknown parties. Never click on the links in text messages or emails that come from unknown parties. Never engage in “money transfer” schemes proposed to you by unfamiliar “wealth heirs.” There are also some automated helps. For


example, one can set up filters to email received. The suspicious emails are then automatically moved to a quarantine folder as soon as they reach the user’s inbox. Figure 4shows a snapshot of a quarantine folder. The user still has a chance to check/recover each message (note the Release link). It can be tricky to figure out a false identity scheming, when you get a message with a link or attachment from an email account of someone you know and communicate with. If you do not expect such a message, it is better to ask the sender back if they really sent the message. It may happen that the sender’s account has been somehow hijacked by malware, and that the message was really sent by the attacker.

Figure 4. An Example of Filtering Potential Phishing Emails

Security Systems – Firewall and Intrusion Detection Security of an organization’s computer network (intranet) is supported by whole-scale security systems. Firewall and the intrusion detection system are popular choices. The firewall is a security IS consisting of a dedicated server that filters all the messages going into an intranet, based on the rules the system operator sets up. For example, in Figure 5, only computer C is allowed to access your computer guarded by the intranet’s firewall. Computer C can be identified by its IP address. The firewall usually contains a rule that executable files (the files with the extension “.exe”) are automatically blocked. These files contain computer code that can be useful application software but possibly malware as well. But would not this rule stop the executable files that really need to get through the firewall; for example, the code a business partner developed as part of a contracted job? It would. The way around is to apply additional security measures on the external computer side. For instance, the user of computer C could be authorized for using a complex password which contains a fixed part and a dynamic part changing every second. The dynamic part may be a randomly generated number than is generated by both a counter in computer C and the


counter in the account of user C on the company side; the two counters must be synchronized. Then, the firewall can contain a rule that places user C into a group allowed to pass in executable files.

Figure 5. Firewall

The Intrusion Detection System (IDS) is a security IS that automatically detects suspicious network traffic. IDS works behind the firewall, as the second line of protection as shown in Figure 6. Acting pretty much like a policeman, IDS scans the intranet for credentials of the users active within the network (e.g., their IDs), matches access privileges with the users accessing databases and particular systems within the intranet, and looks for suspicious behavior (e.g., repeated unsuccessful logins, and massive data copying/deletion/modification operations). The detection of any unfamiliar player or unusual behavior by an IDS sounds the alarm and initiates action of blocking the intruder. Note that an IDS can also be set up before the firewall, to monitor any suspicious change in the external environment (for example, the Internet) and report it to the firewall.

Figure 6. Intrusion Detection System

Data Theft - Internal vs. External Threats Threats to IS security are bigger inside than outside an organization. This counterintuitive statement makes sense at a closer look. Since organization members are closer to IS resources (data, software, hardware), they have a bigger chance to violate security. They can get in


possession of any of the IS resources with much less effort than outsiders to the organization. Still, stealing software is not easy due to modular design of modern software. Hardware theft is deterred by security monitoring conducted by video surveillance and guards staff. This leaves data as the most exposed part of an IS to theft risks. Data theft refers to stealing data. Data can be stolen on a storage device containing it (or as paper files). As electronic data devices are getting smaller, the chances for data storage theft increase. Data can be stolen online as well. In this case, the attacker does not take anything physically but rather commits the illegal act of unauthorized access and takes a copy of data. Unauthorized access to data brings up another security problem – the data can be modified or deleted. Of course, outsiders can also engage in data theft. The act of hacking is a typical manner in which the theft is committed. Hackers use their technological skills to break into systems and copy or change data to suit their interest. The victim can be any organization, including banks, insurance, credit card companies, government institutions, and corporate research and development. Human errors increase the risk of data theft. Data storage devices can be left unprotected in unlocked offices or storage rooms. In addition, security of internal computer storage or online storage (as in the cloud) can be compromised with lost or poor passwords. Of course, poorly defended access to the computer and online storage increase the external data theft threat as well. Overall, evidence and security experts point out to human errors top the list of causes to data theft threat. Protections from Data Theft Data can be protected by strong passwords, physical means, access monitoring, and biometric methods. Strong passwords are commonly assumed to be the most important protection

against data theft. Figure 7 depicts design of a strong password containing letters in the lower an upper case, numbers and special characters, and being longer (14 characters). Any easily guessed detail should not be used for making a password (e.g., a personal name, birth date, home address, numbers running in sequence, etc.). These can be guessed either by a hacker or determined by password cracking software that usually starts with simple combinations of letters and numbers. The passcode represents an upgrade of the password

protection. A passcode is a longer set of characters containing the combinations of characters as does a strong password. The advantage of a passcode over a password is that it can be a meaningful phrase that the user easily remembers. For example, this phrase is memorable but not easy to crack: th1s!1s@S6CUR6#sYsT6m (“this is secure system”; note using number 1

Figure 7. Strong Password Example


instead of letter i, 6 instead of e, and special characters as word separators). Older IS, however, may not be able to handle passwords that have more than eight characters. Biometric methods provide yet higher security for data and other IS resources. Biological characteristics that are unique to each individual are used for managing access control. These include electronic readers of fingertips, palm, and eye retina. These methods can be used for securing rooms as well as individual computers. Although highly secure, biometric methods require extra investments in the equipment. Securing data by physical means involves locking up and guarding offices, storage media, and rooms. Security procedures should be defined, disseminated to organization members, and these must be followed without any exception. A military-level order and discipline should be the benchmark. Data access monitoring is the responsibility of system administrators. Database administrators have the overview of users and their access privileges for reading, inputting, changing, and deleting data. They can determine if any of these were breached. If it is, that is the signal for action. Physical Threats and Protections Physical threats involve natural, technical and human-caused factors endangering IS security. The electricity supply may go down, which brings to a stop electricity-hungry IS. A protection is to have back-up electricity generators that automatically start in the case of blackout. Furthermore, natural disasters, such as earthquakes, storms and tsunamis, can destroy the IS facilities and equipment. Moreover, the physical factors can also spring from human action, such as the arson, terrorist violence, and military attack. The effective management of IS security involves disaster management plans for these occasions. A part of planning is to have backup computing facilities off-site; cloud solutions can help. In addition, backup databases should be kept at another location. Testing disaster preparedness should be regularly performed. New Security Threats Threats to the security of IS are evolving. For some new threats, no effective protection has yet been discovered. One such threat is ransomware. A ransomware attacker gets unauthorized access to someone’s computer, and encrypts files with business data. Then, similarly to the case of hijacking a human being, the attacker demands a monetary award in exchange for a service of decrypting the files. The ransomware is usually delivered via email attachments and URLs. Therefore, this is yet another way of deploying phishing.


According to security reports, about a half of businesses in the U.S. have been affected by ransomware and hundreds of millions of dollars have paid to ransomware cybercriminals. For

example, in the spring 2017, the attack by WannaCry ransomware affected about 200,000 Windows computers in 150 countries, across social sectors. This particular ransomware had the reproductive capability of a computer worm, which enabled it to spread across computers. Apparently, this amplified the damaging effects. Effective protections against ransomware are yet to be developed. The line of defense is in the beginning steps, focusing on slowing down the spreading of ransomware, rather than on decryption of data encrypted by ransomware. A decryption is technically difficult and may be unable to prevent the damage if the attackers make the payment period very short, while threatening to publish the files on the Internet if the ransom is not paid. Summary IS security is an old concern with continues presence. The Internet and wireless communication have brought new security challenges. Security threats are both internal external, and include sniffing, malware, false identity, data theft, and physical factors. As the security threats are evolving, so do the protections. These include data encryption, antivirus software, firewalls, intrusion detections system, passwords/passcodes, monitoring system access, the firewall and intrusion detection systems, and disaster management planning. A proper management of IS security ensures that effective defenses are applied so that IS keep operating smoothly. IS security costs money, but an insecure system costs more measured by a loss in IS resources and the business lost.

Questions for Review and Study

1. Compare and contrast sniffing and phishing (social engineering).

2. What is the encryption key and how is it used in securing IS? 3. Compare and contrast computer virus and computer worm. 4. Compare and contrast trojan malware and adware/spyware. 5. What is a firewall and how is it used in securing IS? What is an intrusion detection system

and how is it used in securing IS? 6. Compare and contrast computer password/passcode and biometric methods.

7. Give examples of three protections from IS security threats.

Chapter 19 Information Systems Security

Documents