8.

Information System Controls

8.2 Main Control Risks and Measures

Each of these 6 susceptible/ vulnerable
to attacks
 3 Components of
Information Systems Security
 A) Confidentiality
• When protecting information, we want to be
able to restrict access to those who are
allowed to see it; everyone else should be
disallowed from learning anything about its
contents. This is the essence of confidentiality.
For example, federal law requires that
universities restrict access to private student
information. The university must be sure that
only those who are authorized have access to
view the grade records.
 B) Integrity
• Integrity is the assurance that the information being accessed
has not been altered and truly represents what is intended. Just
as a person with integrity means what he or she says and can
be trusted to consistently represent the truth, information
integrity means information truly represents its intended
meaning. Information can lose its integrity through malicious
intent, such as when someone who is not authorized makes a
change to intentionally misrepresent something. An example of
this would be when a hacker is hired to go into the university’s
system and change a grade.
• Integrity can also be lost unintentionally, such as when a
computer power surge corrupts a file or someone authorized to
make a change accidentally deletes a file or enters incorrect
information.
 C) Availability
• Information availability is the third part of the CIA
triad. Availability means that information can be
accessed and modified by anyone authorized to do so
in an appropriate timeframe. Depending on the type
of information, appropriate timeframe can mean
different things. For example, a stock trader needs
information to be available immediately, while a sales
person may be happy to get sales numbers for the
day in a report the next morning. Companies such as
Amazon.com will require their servers to be available
twenty-four hours a day, seven days a week. Other
companies may not suffer if their web servers are
down for a few minutes once in a while.
 Goals of Information Security
• Reduce the risk of systems and organizations
ceasing operations
• Maintain information confidentiality
• Ensure the integrity and reliability of data
resources
• Ensure the uninterrupted availability of data
resources and online operations
• Ensure compliance with national security laws
and privacy policies and laws
7
8.2.1 THREATS
• Management must be (1) THREATS
informed of the various
kinds of threats facing the
organization
• A threat is an object, person,
or other entity that
represents a constant
danger to an asset
• By examining each threat
category in turn,
management effectively
protects its information
through policy, education
and training, and
technology controls
Threats to Information Security
 1. Acts of Human Error or Failure
• Includes acts done without
malicious intent
• Caused by:
– Inexperience
– Improper training
– Incorrect assumptions
– Other circumstances
• EMPLOYEES are the
GREATEST THREATS to
information security – They
are closest to the
organizational data
 Acts of Human Error or Failure (2)
• Employee mistakes can easily
lead to the following:
1. Revelation of classified data
2. Enter of erroneous data
3. Accidental deletion or
modification of data
4. Storage of data in
unprotected areas
5. Failure to protect information
• Many of these threats can be
prevented with controls
 2. Compromise of Intellectual Property

• Intellectual property is a category

of property that includes intangible creations
of the human intellect, and primarily
encompasses copyrights, patents, trademarks
and trade secrets
• Artistic works like music and literature, as
well as some discoveries, inventions, words,
phrases and designs can all be protected as
intellectual property
2. Compromise of Intellectual Property (2)
• Trade secrets can be used to protect
– Formulas (such as the one used by Coca-Cola)
– Blueprints for future projects
– Chemical compounds
• Most common breach of intellectual property is
software piracy, statistics say about 1/3 of software in
use all over the world is pirated.
• Employees can leak source code, business plans,
internal business information, trade secrets via
email, flash sticks, remote network access, theft of
printed documents
• Espionage refers to the act of
infringing on the privacy, time or 3. Espionage/Trespass
attention of others.
• These are activities that breach the
confidentiality of information like
– Shoulder surfing can occur any
place a person is accessing
confidential information
• Controls implemented to mark the
boundaries of an organization’s
virtual territory giving notice to
trespassers that they are
encroaching on the organization’s
cyberspace
• Hackers uses skill, guile, or fraud to
steal the property of someone else
 Espionage/Trespass Cont..
• Generally two skill levels among hackers:
– Expert hacker
• Develops software scripts and codes exploits
• Usually a master of many skills
• Will often create attack software and share with others
– Unskilled Hackers (Script kiddies)
• Hackers of limited skill
• Use expert-written software to exploit a system
• Do not usually fully understand the systems they hack
• Other terms for system rule breakers:
– Cracker - an individual who “cracks” or removes
protection designed to prevent unauthorized duplication
– Phreaker - hacks the public telephone network
 4. Information Extortion
• Information extortion is
an attacker or formerly
trusted insider stealing
information from a
computer system and
demanding
compensation for its
return or non-use
• Extortion is also found in
credit card number theft
 5. Sabotage or Vandalism
• Individual or group who want to
deliberately sabotage the operations
of a computer system or business, or
perform acts of vandalism to either
destroy an asset or damage the
image of the organization
• These threats can range from petty
vandalism to organized sabotage
• Organizations rely on image so Web
defacing can lead to dropping
consumer confidence and sales
• Rising threat of hacktivist or cyber-
activist operations – the most
extreme version is cyber-terrorism
 6. Deliberate Acts of Theft
• Illegal taking of another’s property - physical,
electronic, or intellectual
• The value of information suffers when it is copied
and taken away without the owner’s knowledge
• Physical theft can be controlled - a wide variety of
measures used from locked doors to guards or
alarm systems
• Electronic theft is a more complex problem to
manage and control - organizations may not even
know it has occurred
 7. Deliberate Software Attacks
• When an individual or group designs software
to attack systems, they create malicious
code/software called malware
– Designed to damage, destroy, or deny
service to the target systems
• Includes:
– Virus attacks Trojan
– Worm attacks Horse
– Trojan horses M
– Logic bombs R
– back door or trap door
O
W Virus
– denial-of-service attacks
– hoaxes

Bomb
 Deliberate Software Attacks Cont..(1)
1. Virus is a computer program that ATTACHES ITSELF to an
executable file or application. It can replicate itself, usually
through an executable program attached to an e-mail. The
keyword is “attaches”. A virus can not stand on its own.
2. A worm is a computer program that replicates and propagates
itself without having to attach itself to a host. Most infamous
worms are Code Red and Nimda. Cost businesses millions of
dollars in damage as a result of lost productivity Computer
downtime and the time spent recovering lost data, reinstalling
programming's, operating systems, and hiring or contracting IT
personnel.
3. Trojan programs disguise themselves as useful computer
programs or applications and can install a backdoor or rootkit
on a computer. Backdoors or rootkits are computer programs
that give attackers a means of regaining access to the attacked
computer later.
 8. Forces of Nature
• Forces of nature, or acts of God are dangerous
because they are unexpected and can occur with
very little warning
• Can disrupt not only the lives of individuals, but also
the storage, transmission, and use of information
• Include fire, flood, earthquake, and lightning as well
as volcanic eruption and insect infestation
• Since it is not possible to avoid many of these
threats, management must implement controls to
limit damage and also prepare contingency plans
for continued operations
 9. Deviations in Quality of Service
by Service Providers
• Situations of product or services NOT DELIVERED as
expected .
• Information system depends on many inter-dependent
support systems
• Three sets of service issues that dramatically affect the
availability of information and systems are
– Internet service
– Communications
– Power irregularities
 9. a) Internet Service Issues
• Loss of Internet service can lead to considerable loss in
the availability of information system
– organizations have sales staff and telecommuters
working at remote locations
• when an organization outsources its web servers, the
outsourcer assumes responsibility for
– All Internet Services
– The hardware and operating system software used to
operate the web site
 9 b) Communications and Other Services
• Other utility services have potential impact
• Among these are
– Telephone
– Water & wastewater
– Trash pickup
– Cable television
• The threat of loss of services can lead to inability to
function properly
 9 c) Power Irregularities
• Voltage levels can increase, decrease, or cease:
– Spike – momentary increase
– Surge – prolonged increase
– Sag – momentary low voltage
– Brownout – prolonged drop
– Fault – momentary loss of power
– Blackout – prolonged loss
• Electronic equipment is susceptible to fluctuations,
controls can be applied to manage power quality
 10. Technical Hardware Failures or Errors
• Technical hardware failures or errors occur when a
manufacturer distributes to users equipment containing flaws
(equipment failure)
• These defects can cause the system to perform outside of
expected parameters, resulting in unreliable service or lack of
availability
• Some errors are terminal, in that they result in the
unrecoverable loss of the equipment
• some errors are intermittent, in that they only periodically
manifest themselves, resulting in faults that are not easily
repeated
 11. Technical Software Failures or Errors

• This category of threats comes from purchasing software

with unrevealed faults
• Large quantities of computer code are written,
debugged, published, and sold only to determine that
not all bugs were resolved
• Sometimes, unique combinations of certain software
and hardware reveal new bugs
• Sometimes, these items aren’t errors, but are purposeful
shortcuts left by programmers for honest or dishonest
reasons
 12. Technological Obsolescence
• When the infrastructure becomes antiquated or
outdated, it leads to unreliable and untrustworthy
systems
• Management must recognize that when technology
becomes outdated, there is a risk of loss of data
integrity to threats and attacks
• Ideally, proper planning by management should
prevent the risks from technology obsolesce, but when
obsolescence is identified, management must take
action
8.2.2 VULNERABILITIES
 Vulnerabilities
• A vulnerability is an identified weakness of a
information system whose controls are not present or are
no longer effective

• Vulnerabilities exposes organisation to risk.

• Understanding your vulnerabilities is the first step to

managing risk. Some possible vulnerabilities you should think
about as part of your risk assessments and risk treatments: -
current employees, former employees, technology, network,
IT management, suppliers and partners etc.
 Vulnerabilities (1)
• Employees:
– Lack of information security awareness
– Social and customer interactions
– Opening spam or malware emails
– Connecting personal devices to company network
– Losing id cards and door access cards
 Vulnerabilities (2)
• Former Employees:
– Working for competitors
– Retaining company data
– Sabotaging systems or data
– When an employee leaves the organization his
user id should be terminated.
 Vulnerabilities (3)
• Technology:
– Social networking
– File sharing
– Technological changes
– Legacy systems
– Storing organisational data on mobile devices
 Vulnerabilities (4)
• Hardware + Software:
• Software bugs
• Hardware flaws
• Insufficient testing
• Out of date hardware
• Hardware Misconfiguration
• Vendors that go out of business/ change of
ownership
• Lack of audit trails
 Vulnerabilities (5)
• Network:
– Inadequate firewalls
– Unprotected network communications
– Open physical connections, IPs and ports
– Insecure network architecture
– Unused user ids
– Excessive privileges
– Wi-Fi and mobile networks
 Vulnerabilities (6)
• IT management:
– Insufficient it capacity
– Misused security patches
– Improper waste disposal
– Inadequate continuity planning
– Processes that fail to consider human factors
 Vulnerabilities (7)
• Partners and Suppliers:
– Disruption of telecom and other utility services
– Hardware and software failure
– Supplier disruptions
– Sharing confidential data with partners and
suppliers
– Supply chain breakdown
 Vulnerabilities (8)
• Offices and data centres:
– Sites that are prone to natural disasters such as
extreme weather
– Unreliable power sources
– High crime areas
– Multiple sites in the same geographic area
8.2.3 ATTACKS
 Attacks
• An attack is the deliberate act that exploits
vulnerability
• It is accomplished by a threat-agent to damage or
steal an organization’s information or physical asset
– An exploit is a technique to compromise a system
– An attack is then the use of an exploit to achieve
the compromise of a information system
 Motives of Cyber Criminal
• Power assurance---to restore criminal’s self-
confidence or self-worth through low-aggression
means;---e.g. cyber stalking
• Power assertive---to restore criminal’s self-
confidence or self-worth through moderate- to high-
aggression means---not to harm the victim but to get
control of the victim;
• Anger (retaliatory)---rage towards a person, group,
institution, or a symbol---the offender may believe
that they are correcting some injustice
• Sadistic---derive gratification from the pain/suffering
of others
• Profit-oriented---material or personal gain
 1. Hacking
• Hacking is unauthorized intrusion into a
computer or a network. The person engaged in
hacking activities is generally referred to as a
hacker. This hacker may alter system or security
features to accomplish a goal that differs from
the original purpose of the system.
• Hackers may be motivated by a multitude of
reasons, such as profit, protest, information
gathering, challenge, recreation, or to evaluate
system weaknesses to assist in formulating
defences against potential hackers
 2. Salami Attacks
• A salami attack is when small attacks add up to one
major attack that can go undetected due to the nature of
this type of cyber crime. It also known as salami slicing.
Although salami slicing is often used to carry out illegal
activities, it is only a strategy for gaining an advantage
over time by accumulating it in small increments, so it can
be used in perfectly legal ways as well .The attacker uses
an online database to seize the information of customers
that is bank/credit card details deducting very little
amounts from every account over a period of time. The
customers remain unaware of the slicing and hence no
complaint is launched thus keeping the hacker away from
detection.
 3. Email Spoofing
• Email spoofing is the forgery of an email header so
that the message appears to have originated from
someone or somewhere other than the actual source.
• Email spoofing is a tactic used
in phishing and spam campaigns because people are
more likely to open an email when they think it has
been sent by a legitimate source. The goal of email
spoofing is to get recipients to open, and possibly even
respond to, a solicitation.
• Email spoofing can have malicious motives such as
virus spreading or attempts to gain personal banking
information.
 4.Phishing
• Phishing is the attempt to obtain sensitive
information such as usernames, passwords,
credit card details (and money), often
for malicious reasons, by disguising as a
trustworthy entity in an electronic
communication
 5. Denial of Service Attacks
• Denial-of-service (DoS) –
– Attacker sends a large number of connection or
information requests to a target
– So many requests are made that the target system
cannot handle them successfully along with other,
legitimate requests for service
– May result in a system crash, or merely an inability to
perform ordinary functions
• Distributed Denial-of-service (DDoS) - an attack in
which a coordinated stream of requests is launched
against a target from many locations at the same time
Slide 51
 6. Social Engineering
• Social Engineering - within the context of
information security, the process of using social
skills to convince people to reveal access
credentials or other valuable information to the
attacker
• “People are the weakest link. You can have the
best technology; firewalls, intrusion-detection
systems, biometric devices ... and somebody can
call an unsuspecting employee. That's all she
wrote, baby. They got everything.”
 7. Web Hijacking
• Web hijacking as the name suggest is the
forceful controlling of other people’s website
such that they lose control of their website
and content.
 8. Malicious Code
• This kind of attack includes the execution of
viruses, worms, Trojan horses, and active web
scripts with the intent to destroy or steal
information
 9. Computer Vandalism
• The deliberate damage or defacement of
computer equipment, be it physically or by
installing malware.
 10. Cyber Terrorism
• Terrorist activities intended to damage or
disrupt vital computer systems like attacks on
military installations, power plants , air traffic
controls etc.
 11. SQL injection Attacks
• An SQL injection attack is an attempt to issue SQL
commands to a database via a website interface. This is to
gain stored database information, including usernames
and passwords.
• This code injection technique exploits security
vulnerabilities in an application's database layer. Hackers
exploit poorly coded websites and web apps to inject SQL
commands, for example, taking advantage of a login
form to gain access to the data stored in the database.
• In simple terms, SQL injection attacks occur because the
user-input fields permit the SQL statements to pass
through and directly query the database.
 12. Spyware & Adware
• Spyware
– A Spyware program sends info from the infected
computer to the person who initiated the spyware
program on your computer
– Spyware program can register each keystroke entered.
• Adware
– Main purpose is to determine a user’s purchasing habits so
that Web browsers can display advertisements tailored to
that user.
– Slow down the computer it’s running on.
• Both programs can be installed without the user being
aware of their presence
 13. Cyber-Bulling & Stalking
• The use of the Internet or other electronic means
to stalk, harass or threaten an individual, group, or
organization with physical harm.
• NB: Cyber bullying and cyber stalking are used for the
same kinds of communications, but cyber bullying is
the usual term when minors are involved.
• Both may include false accusations and slander. It
may also include monitoring, identity theft, threats,
vandalism, solicitation for sex, or gathering
information that may be used to threaten, embarrass
or harass.
 14. Cyber Defamation
• Cyber defamation is when a person for
instance send an email containing
defamatory information to all of that person’s
friends and family
 15. Identity Theft
• Identity theft is when someone uses your
personal identifying information (e.g., name,
address, ID number, banking account
number, username or password) to commit
fraud, to gain financial advantage or obtain
credit and other benefits in the other person's
name.
 16. Email Bombing
• A malicious act where huge numbers of e-
mails are directed to a specific system or a
targeted user of that system. Mail bombs will
usually fill the allotted space on an e-mail
server for the users e-mail and can result in
crashing the e-mail server, or at the very
least, possibly rendering the user's computer
useless as their e-mail client attempts to
download the huge amounts of e-mail. Also
called a mail bomb.
 17. Man in the Middle Attacks
• A man-in-the-middle (MITM) attack is a form of
eavesdropping where communication between two
users is monitored and modified by an unauthorized
party. Generally, the attacker actively eavesdrops by
intercepting a public key message exchange and
retransmits the message while replacing the requested
key with his own.
• In the process, the two original parties appear to
communicate normally. The message sender does not
recognize that the receiver is an unknown attacker
trying to access or modify the message before
retransmitting to the receiver. Thus, the attacker
controls the entire communication.
Slide 64
8.2.4 RISKS
 Information Systems Risks
• As part of managing the health and safety of an
information system, one must control the risks that can
occur in the organization.
• To do this one might need to think about the impact on
the information system if the hardware, software, people,
databases, telecommunications and procedures are
compromised? How much can the organisation take once
compromised?
• If for instance there is a denial of service attack, hardware
failures, or if the information system gets hacked, or if the
database gets deleted, how far will that impact the
organisation? Those are questions that need to be asked
when analyzing the risks and the potential impacts of
attacks.
 Information Systems Risks (2)
• The process of analysing the threats and
vulnerabilities of an information system and
the potential impacts the loss of information
or the capabilities of a system will have is
called risk analysis.
Risk = Threats x Vulnerabilities
 Risks can include:
• Leakage of sensitive organisational information
• Financial losses
• Business disruptions
• Loss of privacy
• Damage of reputation
• Loss of confidence in the organisation
• Legal penalties
• Loss of human Life
• Loss of data integrity
8.2.4 MEASURES
 Measures Overview..
• The results of the risk analysis is used as basis
for identifying appropriate and cost effective
measures to mitigate the threats to an
information system.
• Common measures include educating staff
members, employing encryption techniques,
cryptography, user IDs, login procedures,
firewalls, intrusion detection systems, firewalls,
antivirus etc.
 Measures (1)
• Encryption: Encryption is used to make stored data more secure
from hackers, by making it unreadable to people who do not
have the key to decrypt or decode it. This method is commonly
used to protect data transmitted over the internet.

• Anti-Virus Software: A computer virus is a program designed

to cause damage to a computer system. They are particularly
dangerous because they can corrupt or damage files as they
spread throughout the system. The use of a virus scanner or anti-
virus software helps to minimise the risk from viruses; this software
searches the computer system for viruses and deletes them once
detected. For maximum protection it is essential to purchase a
reliable product that provides daily downloads of new virus
definitions and then sweeps the system regularly.
 Measures (2)
• Anti-Spyware Software Spyware is software that is
installed on a computer system with the purpose of
gaining information about an organisation without
their knowledge or consent. In some cases malicious
spyware can control the computer system remotely.
The use of anti-spyware software can minimise the
risk from spyware. The most effective anti-spyware
software provides real-time protection by scanning all
incoming network data and by blocking any spyware
threats that are detected. Alternative anti-spyware
software is used for the sole purpose of detecting and
removing spyware that is already installed.
 Measures (3)
• Firewalls Hacking is the practice of breaking into
computer systems and it is essential that preventative
measures are taken. The main technique is to install a
firewall to prevent unauthorised requests from
hackers attempting to gain access to the network or
computer systems via the internet. MIS systems are
constantly communicating with the outside world,
which involves connection to public networks and the
associated difficulty of effectively policing access to the
system. A firewall is a combination of hardware and
software that is designed to check the integrity of
incoming messages and requests for service from the
system.
 Measures (3)
• Intrusion Detection Systems (IDS)
Intrusion detection systems (IDS) are designed
to monitor the network or computer system
for malicious activities. Once an incident is
detected, a report is produced and sent to the
network administrator for further action.
Firewalls are used to limit access between
networks and to prevent intrusion, whereas
the IDS searches for attacks that originates
from within the system.