mweb business hacked case study

MANAGEMENT INFORMATION SYSTEM

case study.

2nd CASE STUDY CHAPTER 8: MWEB BUSINESS: HACKED

1. What technology issues led to the security breach at MWEB?

Technology issues that led to the security breach at MWEB is MWEB Business subscribers’ account details were compromised when their logon and password details were published on the internet by hackers. This is because it appears that hackers gained access to web based Internet Solutions’ self-service management system that MWEB Business uses to provide and manage business accounts that have not been migrated to the MWEB network.

2. What is the possible business impact of this security breach for both MWEB and its customers?

The security breach give a big impact for both MWEB Business and its customers. The possible business impact of this security breach for MWEB are this security breach forces MWEB to notify their customers and find the possible solutions for the problem and to work together with Internet Solution to solve those issues. Besides, they will lose trust from their customers and face difficulties to gain back their trust. Furthermore, they need to immediately implement proper policies and controls of their systems and at the same time they need to prepare for legal action and financial risks. Therefore, those impacts will be the threat to customer retention and reputation. They need for explanation about the issue from MWEB. In the other hand, the possible business impacts of this security breach to their customers are the customers need for the explanation about the issues and the behavioral recommendations regarding the problems. The other impacts that the customers need to face are losing of their personal information which is privacy for them and they need to face with loss of data or inaccuracy. At the same time, they are facing with inconvenience regarding the problems because they have to recreate or change their password and facing the possibility of the service could not be accessed.

3. If you were an MWEB customer, would you consider MWEB’s response to the security breach to be acceptable? Why or why not?

If we were an MWEB customer, we would consider MWEB’s response to the security breach to be acceptable. There were several reasons for the considerations. One of the reasons was MWEB responded quickly to the hacking incident. MWEB also has been contacting their customers to reset their passwords, as an added security measure. Besides, they were also quick to note that no personal information was lost and that none of MWEB’s clients suffered any losses as their usernames and passwords had been recreated and changed. Furthermore, MWEB successfully repels 5,000 attacks a day. In addition, MWEB was working closely with Internet Solutions to investigate the nature and source of the breach to ensure that it does not happen again.

4. What should MWEB do in the future to avoid similar incidents?

To avoid similar incidentsin the future, MWEB should implements up to date security or devices or protocol to their network such as digital certificates, intrusion detection system, Management Information System(MIS) audit, regular and thorough testing and lastly improved identity management. Besides, MWEB should proactively took immediate action to evaluate the extent of the breach and to limit any damages. At the same time, MWEB should constantly advises its customers to be vigilant regarding their online data and security. Moreover, MWEB should working closely with Internet Solutions to investigate the nature and source of the breach. Those suggestions or recommendations are important to avoid similar incidents in the future.

#books #literature

Featured Review

1st CASE STUDY CHAPTER 3: AUTOMAKERS BECOMES SOFTWARE COMPANIES

MWEB Business takes action in “hacking” incident

MWEB Business takes action in “hacking” incident

Less than 1 000 MWEB Business customers' accounts were briefly compromised yesterday (25 October) when access was gained to Internet Solutions' (IS) self-service management system that MWEB Business uses to provision and manage business accounts that have not yet been migrated to the MWEB network.

Andre Joubert, GM of MWEB Business, emphasised that only ADSL authentication usernames and passwords were compromised. The integrity of the personal or private data related to the accounts remains intact, as do the access credentials for each customer's bundled on-site router.

“Nevertheless, we see this breach in a very serious light and deeply regret any inconvenience this may cause affected customers,” he said.

“As soon as the breach came to our attention, we took immediate action to ascertain the extent of the compromise and to limit any damage that might have been caused. MWEB Business is in the process of contacting all affected customers to advise them that their passwords are being changed remotely,” he added.

The compromised accounts are the only MWEB Business customer accounts that have not yet been migrated to MWEB's own IPC network following its launch in April.

Historically, MWEB Business re-sold Internet Solutions' Uncapped & Fixed IP ADSL services, which were provisioned and managed by MWEB, using a Web-based management interface provided by Internet Solutions. All new Business ADSL services provisioned after April, as well as the bulk of legacy services already migrated, use MWEB's internal authentication systems, which were completely unaffected by this incident.

MWEB is working with Internet Solutions to investigate the nature and source of the compromise and to ensure that it does not recur.

MWEB Business

Founded in January 1998 as the business division of MWEB, MWEB Business provides comprehensive solutions in areas of Internet access, application services, e-commerce, network support and consultancy to businesses.

We are dedicated to helping our business clients leverage the power of the Internet by providing a comprehensive solution for all their Internet needs along with the expertise and skills to successfully implement their ventures online.

MWEB Business has e-commerce enabled nearly 600 businesses and provided Internet services to 7 000 business clients, including Pick n Pay, Mango, 1Time, FlySAA, Netflorist, and many more.

Editorial contacts

High School
You don't have any recent items yet.
You don't have any courses yet.
You don't have any books yet.
You don't have any Studylists yet.
Information

Management Information Systems (BMIS300)

Lebanese international university.

Recommended for you

Students also viewed.

MGT CHAP1 - intro to mgt
BMIS320L Course Schedule Spring 2019-2020
BMIS320 Assignment 1 V1
BACC200 Chapter 4 Book Exercises
BACC200 Chapter 5 Book Exercises
MIT300 - Chapter 1 - The importance of MIS - RT

Preview text

Interactive Sessions: Stuxnet and the Changing Face of Cyberwarfare MWEB Business: Hacked

LEARNING OBJECTIVES

After reading this chapter, you will be able to answer the following questions:

Why are information systems vulnerable to destruction, error, and abuse?

What is the business value of security and control?

What are the components of an organizational framework for security and control?

What are the most important tools and technologies for safeguarding information resources?

CHAPTER OUTLINE 8 SYSTEM VULNERABILITY AND ABUSE Why Systems Are Vulnerable Malicious Software: Viruses, Worms, Trojan Horses, and Spyware Hackers and Computer Crime Internal Threats: Employees Software Vulnerability 8 BUSINESS VALUE OF SECURITY AND CONTROL Legal and Regulatory Requirements for Electronic Records Management Electronic Evidence and Computer Forensics 8 ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL Information Systems Controls Risk Assessment Security Policy Disaster Recovery Planning and Business Continuity Planning The Role of Auditing 8 TECHNOLOGIES AND TOOLS FOR PROTECTING INFORMATION RESOURCES Identity Management and Authentication Firewalls, Intrusion Detection Systems, and Antivirus Software Securing Wireless Networks Encryption and Public Key Infrastructure Ensuring System Availability Security Issues for Cloud Computing and the Mobile Digital Platform Ensuring Software Quality LEARNING TRACK MODULES The Booming Job Market in IT Security The Sarbanes-Oxley Act Computer Forensics General and Application Controls for Information Systems Management Challenges of Security and Control Software Vulnerability and Reliability

Securing Information Systems

inkedIn is one of the most prominent social networking sites on the Web. LinkedIn has over 160 million members, mostly career minded white-collar workers more inter- ested in networking than being social. Users maintain online resumes, establish links with their colleagues and business contacts, and search for experts with answers to their daily business problems. People looking for jobs or to advance their careers take this ser- vice very seriously. By any measure, LinkedIn has been one of the top tech success stories in the last decade. The company is now valued at over $12 billion. In June 2012, however, the company suffered a staggering data breach that exposed the passwords of millions of LinkedIn users. Hackers breached LinkedIn’s security and stole 6. million user passwords, then posted the passwords publicly on a Russian hacking forum. In the aftermath of the breach, LinkedIn users and security experts alike were stunned that a company whose primary function is to collect and manage customer data had done so little to safeguard it. LinkedIn had woefully inadequate computer security, especially for a highly successful tech company with healthy cash reserves, a strong bottom line, and talented employees. Security experts criticized LinkedIn for not having a chief security officer whose primary job is to guard against security breaches. But even more surprisingly, LinkedIn was found to have minimal password protection via encryption and did not employ several standard encryp- tion techniques used to protect passwords. Most companies will use a technique known as “salting,” which adds a series of random digits to the end of hashed passwords to make them more difficult to crack. Salting can be performed at little to no cost with just a few additional lines of code. Most companies use complicated cryptographic functions to salt passwords, but, incredibly LinkedIn had not salted its users’ passwords at all, the security equivalent of leaving one’s valuables unattended in a crowded area. Most companies store hashed passwords on separate, secure Web servers to make it more difficult for hackers to break in. The total cost for a company like LinkedIn to set up robust pass- word, Web server, and application security would be in the low six figures, but the average data breach costs companies $5 million, according to a Symantec-sponsored study by the Ponemon Institute. LinkedIn's losses might end up being even higher than that, which makes their near total disregard for data security even more surprising. Some security experts believe that the lack of liability for companies like LinkedIn is a major reason for their lax security policies. Unlike other indus- tries, where basic consumer protections are overseen and protected, computer security and social network data secu- rity are not regulated and are poorly protected by many companies. Additionally, with social networks, people tend not to leave a service because of a data breach. For example, in the wake of the breach, many users wanted to leave LinkedIn, but opted not to because it is the most prominent social network for business networking.

####### YOU’RE ON LINKEDIN? WATCH OUT!

8 SYSTEM VULNERABILITY AND ABUSE

an you imagine what would happen if you tried to link to the Internet without a firewall or antivirus software? Your computer would be disabled in a few seconds, and it might take you many days to recover. If you used the computer to run your business, you might not be able to sell to your customers or place orders with your suppliers while it was down. And you might find that your computer system had been penetrated by outsiders, who perhaps stole or destroyed valuable data, including confiden- tial payment data from your customers. If too much data were destroyed or divulged, your business might never be able to operate! In short, if you operate a business today, you need to make security and control a top priority. Security refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Controls are methods, policies, and organizational procedures that ensure the safety of the organization’s assets, the accuracy and reliability of its records, and operational adherence to management standards.

####### WHY SYSTEMS ARE VULNERABLE

When large amounts of data are stored in electronic form, they are vulnerable to many more kinds of threats than when they existed in manual form. Through communications networks, information systems in different locations are inter- connected. The potential for unauthorized access, abuse, or fraud is not limited to a single location but can occur at any access point in the network. Figure 8 illustrates the most common threats against contemporary information systems. They can stem from technical, organizational, and environmental factors compounded by poor management decisions. In the multi-tier client/ server computing environment illustrated here, vulnerabilities exist at each layer and in the communications between the layers. Users at the client

FIGURE 8 CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES

The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.

Chapter 8 Securing Information Systems 325

layer can cause harm by introducing errors or by accessing systems without authorization. It is possible to access data flowing over networks, steal valuable data during transmission, or alter messages without authorization. Radiation may disrupt a network at various points as well. Intruders can launch denial- of-service attacks or malicious software to disrupt the operation of Web sites. Those capable of penetrating corporate systems can destroy or alter corporate data stored in databases or files. Systems malfunction if computer hardware breaks down, is not configured properly, or is damaged by improper use or criminal acts. Errors in program- ming, improper installation, or unauthorized changes cause computer software to fail. Power failures, floods, fires, or other natural disasters can also disrupt computer systems. Domestic or offshore partnering with another company adds to system vulnerability if valuable information resides on networks and computers outside the organization’s control. Without strong safeguards, valuable data could be lost, destroyed, or could fall into the wrong hands, revealing important trade secrets or information that violates personal privacy. The popularity of handheld mobile devices for business computing adds to these woes. Portability makes cell phones, smartphones, and tablet computers easy to lose or steal. Smartphones share the same security weaknesses as other Internet devices, and are vulnerable to malicious software and penetration from outsiders. Smartphones used by corporate employees often contain sen- sitive data such as sales figures, customer names, phone numbers, and e-mail addresses. Intruders may be able to access internal corporate systems through these devices.

I n t e r n e t V u l n e r a b i l i t i e s Large public networks, such as the Internet, are more vulnerable than internal networks because they are virtually open to anyone. The Internet is so huge that when abuses do occur, they can have an enormously widespread impact. When the Internet becomes part of the corporate network, the organization’s information systems are even more vulnerable to actions from outsiders. Computers that are constantly connected to the Internet by cable modems or digital subscriber line (DSL) lines are more open to penetration by outsid- ers because they use fixed Internet addresses where they can be easily identi- fied. (With dial-up service, a temporary Internet address is assigned for each session.) A fixed Internet address creates a fixed target for hackers. Telephone service based on Internet technology (see Chapter 7) is more vulnerable than the switched voice network if it does not run over a secure private network. Most Voice over IP (VoIP) traffic over the public Internet is not encrypted, so anyone with a network can listen in on conversations. Hackers can intercept conversations or shut down voice service by flooding servers supporting VoIP with bogus traffic. Vulnerability has also increased from widespread use of e-mail, instant messaging (IM), and peer-to-peer file-sharing programs. E-mail may contain attachments that serve as springboards for malicious software or unauthor- ized access to internal corporate systems. Employees may use e-mail messages to transmit valuable trade secrets, financial data, or confidential customer information to unauthorized recipients. Popular IM applications for consumers do not use a secure layer for text messages, so they can be intercepted and read by outsiders during transmission over the public Internet. Instant messaging activity over the Internet can in some cases be used as a back door to an oth- erwise secure network. Sharing files over peer-to-peer (P2P) networks, such as

326 Part Two Information Technology Infrastructure

Intruders also use the information they have gleaned to set up rogue access points on a different radio channel in physical locations close to users to force a user’s radio network interface controller (NIC) to associate with the rogue access point. Once this association occurs, hackers using the rogue access point can capture the names and passwords of unsuspecting users.

####### MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN

####### HORSES, AND SPYWARE

Malicious software programs are referred to as malware and include a variety of threats, such as computer viruses, worms, and Trojan horses. A computer virus is a rogue software program that attaches itself to other software programs or data files in order to be executed, usually without user knowledge or permission. Most computer viruses deliver a “payload.” The payload may be relatively benign, such as instructions to display a message or image, or it may be highly destructive—destroying programs or data, clogging computer memory, reformatting a computer’s hard drive, or causing programs to run improperly. Viruses typically spread from computer to computer when humans take an action, such as sending an e-mail attachment or copying an infected file. Most recent attacks have come from worms, which are independent computer programs that copy themselves from one computer to other computers over a network. Unlike viruses, worms can operate on their own without attaching to other computer program files and rely less on human behavior in order to spread from computer to computer. This explains why computer worms spread much more rapidly than computer viruses. Worms destroy data and programs as well as disrupt or even halt the operation of computer networks. Worms and viruses are often spread over the Internet from files of downloaded software, from files attached to e-mail transmissions, or from compromised e-mail messages, online ads, or instant messaging. Viruses have also invaded computerized information systems from “infected” disks or infected machines. Especially prevalent today are drive-by down- loads, consisting of malware that comes with a downloaded file that a user intentionally or unintentionally requests. Hackers can do to a smartphone just about anything they can do to any Internet device: request malicious files without user intervention, delete files, transmit files, install programs running in the background to monitor user actions, and potentially convert the smartphone into a robot in a botnet to send e-mail and text messages to anyone. With smartphones starting to outsell PCs, and smartphones increasingly used as payment devices, they are becoming a major avenue for malware. Malware targeting mobile devices is not yet as extensive as that targeting larger computers, but nonetheless is spreading using e-mail, text messages, Bluetooth, and file downloads from the Web via Wi-Fi or cellular networks. The security firm McAfee found nearly 13,000 different kinds of malware targeting mobile devices in 2012 compared to less than 2,000 in 2011, with almost all attacks targeting devices using Google’s Android operating system. (Graziano, 2012). Mobile device viruses pose serious threats to enterprise computing because so many wireless devices are now linked to corporate information systems.

328 Part Two Information Technology Infrastructure

Blogs, wikis, and social networking sites such as Facebook have emerged as new conduits for malware or spyware. These applications allow users to post software code as part of the permissible content, and such code can be launched automatically as soon as a Web page is viewed. On July 4, 2011, hack- ers broke into the “Fox News Politics” Twitter account, sending fake messages about President Barack Obama. The hackers changed the account's password, preventing Fox from correcting the messages for hours (Sherr, 2011). Internet security firm Symantec reported in 2012 that it had detected 403 million new and unique threats from malicious software in 2011, up from 286 million in 2010. Symantec observed that the amount of harmful software in the world passed the amount of beneficial software in 2007, and as many as one of every 10 downloads from the Web includes harmful programs (Drew and Kopytoff, 2011). According to Symantec, 36 percent of malware today is being targeted at small businesses, because it is more difficult for such companies to protect themselves against so many different types of attacks (Symantec, 2012). Table 8 describes the characteristics of some of the most harmful worms and viruses that have appeared to date. A Trojan horse is a software program that appears to be benign but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate, but it is often a way for viruses or other malicious code to be introduced into a computer system. The term Trojan horse is based on the huge

TABLE 8 EXAMPLES OF MALICIOUS CODE

NAME TYPE DESCRIPTION Conficker (aka Downadup, Downup)

Worm First detected in November 2008 and still prevalent. Uses flaws in Windows software to take over machines and link them into a virtual computer that can be commanded remotely. Had more than 5 million computers worldwide under its control. Difficult to eradicate. Storm Worm/ Trojan horse

First identified in January 2007. Spreads via e-mail spam with a fake attachment. Infected up to 10 million computers, causing them to join its zombie network of computers engaged in criminal activity. Sasser Worm First appeared in May 2004. Spread over the Internet by attacking random IP addresses. Causes computers to continually crash and reboot, and infected computers to search for more victims. Affected millions of computers worldwide, disrupting British Airways flight check-ins, operations of British coast guard stations, Hong Kong hospitals, Taiwan post office branches, and Australia’s Westpac Bank. Sasser and its variants caused an estimated $14 billion to $18 billion in damages worldwide. MyDoom Worm First appeared on January 26, 2004. Spreads as an e-mail attachment. Sends e-mail to addresses harvested from infected machines, forging the sender’s address. At its peak, this worm lowered global Internet performance by 10 percent and Web page loading times by as much as 50 percent. Was programmed to stop spreading after February 12, 2004. Sobig Worm First detected on August 19, 2003. Spreads via e-mail attachments and sends massive amounts of mail with forged sender information. Deactivated itself on September 10, 2003, after infecting more than 1 million PCs and doing $5 to $10 billion in damage. ILOVEYOU Virus First detected on May 3, 2000. Script virus written in Visual Basic script and transmitted as an attachment to e-mail with the subject line ILOVEYOU. Overwrites music, image, and other files with a copy of itself and did an estimated $10 billion to $15 billion in damage. Melissa Macro virus/ worm

First appeared in March 1999. Word macro script mailing infected Word file to first 50 entries in user’s Microsoft Outlook address book. Infected 15 to 29 percent of all business PCs, causing $300 million to $600 million in damage.

Chapter 8 Securing Information Systems 329

of the MySpace “group” sites, which are dedicated to interests such as home beer brewing or animal welfare, into cyber-graffiti walls, filled with offensive comments and photographs.

S p o o fi n g a n d S n i f fi n g Hackers attempting to hide their true identities often spoof, or misrepresent, themselves by using fake e-mail addresses or masquerading as someone else. Spoofing also may involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. For example, if hackers redirect customers to a fake Web site that looks almost exactly like the true site, they can then collect and process orders, effectively stealing business as well as sensitive customer information from the true site. We provide more detail on other forms of spoofing in our discussion of computer crime. A sniffer is a type of eavesdropping program that monitors informa- tion traveling over a network. When used legitimately, sniffers help identify potential network trouble spots or criminal activity on networks, but when used for criminal purposes, they can be damaging and very difficult to detect. Sniffers enable hackers to steal proprietary information from anywhere on a network, including e-mail messages, company files, and confidential reports.

D e n i a l - o f - S e r v i c e A t t a c k s In a denial-of-service (DoS) attack, hackers flood a network server or Web server with many thousands of false communications or requests for services to crash the network. The network receives so many queries that it cannot keep up with them and is thus unavailable to service legitimate requests. A distributed denial-of-service (DDoS) attack uses numerous computers to inundate and overwhelm the network from numerous launch points. For example, hours after the U. Department of Justice shut down file-sharing site Megaupload on January 19 2012, the Anonymous hacker collective launched extensive retaliatory DDoS attacks against federal and entertainment industry Web sites. Web sites belonging to the FBI, U. Department of Justice, U. Copyright Office, Universal Music, the Recording Industry Association of America, and the Motion Picture Association of America, were knocked offline for a large part of the day. Although DoS attacks do not destroy information or access restricted areas of a company’s information systems, they often cause a Web site to shut down, making it impossible for legitimate users to access the site. For busy e-commerce sites, these attacks are costly; while the site is shut down, customers cannot make purchases. Especially vulnerable are small and midsize businesses whose networks tend to be less protected than those of large corporations. Perpetrators of DDoS attacks often use thousands of “zombie” PCs infected with malicious software without their owners’ knowledge and organized into a botnet. Hackers create these botnets by infecting other people’s computers with bot malware that opens a back door through which an attacker can give instructions. The infected computer then becomes a slave, or zombie, serving a master computer belonging to someone else. Once hackers infect enough computers, they can use the amassed resources of the botnet to launch DDos attacks, phishing campaigns, or unsolicited “spam” e-mail. Ninety percent of the world's spam and 80 percent of the world's malware are delivered via botnets. For example, the Grum botnet, once the world's third-largest botnet, was reportedly responsible for 18% of worldwide spam traffic (amounting to 18 billion spam messages per day) when it was shut down on July 19, 2012. At one point Grum had infected and controlled 560,000–840,000 computers.

Chapter 8 Securing Information Systems 331

C o m p u t e r C r i m e Most hacker activities are criminal offenses, and the vulnerabilities of systems we have just described make them targets for other types of computer crime as well. In November, 2010, New York resident George Castro was charged with grand larceny for allegedly stealing nearly $4 million from Columbia University over the course of two months. Castro had added a TD Bank account belonging to him as a payee in the Columbia University Medical Center's accounts payable system (El-Ghobashy, 2010). Computer crime is defined by the U. Department of Justice as “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution.” Table 8 provides examples of the computer as both a target and an instrument of crime. No one knows the magnitude of the computer crime problem—how many systems are invaded, how many people engage in the practice, or the total economic damage. According to the Ponemon Institute’s Second Annual Cost of Cyber Crime Study sponsored by ArcSight, the median annualized cost of cyber- crime for the organizations in the study was $5 million per year (Ponemon Institute, 2011). Many companies are reluctant to report computer crimes because the crimes may involve employees, or the company fears that publiciz- ing its vulnerability will hurt its reputation. The most economically damaging kinds of computer crime are DoS attacks, introducing viruses, theft of services, and disruption of computer systems.

I d e n t i t y T h e f t With the growth of the Internet and electronic commerce, identity theft has become especially troubling. Identity theft is a crime in which an imposter obtains key pieces of personal information, such as social security identification numbers, driver’s license numbers, or credit card numbers, to impersonate some- one else. The information may be used to obtain credit, merchandise, or services in the name of the victim or to provide the thief with false credentials.

TABLE 8 EXAMPLES OF COMPUTER CRIME

COMPUTERS AS TARGETS OF CRIME Breaching the confidentiality of protected computerized data Accessing a computer system without authority Knowingly accessing a protected computer to commit fraud Intentionally accessing a protected computer and causing damage, negligently or deliberately Knowingly transmitting a program, program code, or command that intentionally causes damage to a protected computer Threatening to cause damage to a protected computer COMPUTERS AS INSTRUMENTS OF CRIME Theft of trade secrets Unauthorized copying of software or copyrighted intellectual property, such as articles, books, music, and video Schemes to defraud Using e-mail for threats or harassment Intentionally attempting to intercept electronic communication Illegally accessing stored electronic communications, including e-mail and voice mail Transmitting or possessing child pornography using a computer

332 Part Two Information Technology Infrastructure

“reasonable” security procedures to keep the data secure and to notify anyone affected by a data breach, but it has not been enacted.

C l i c k Fr a u d When you click on an ad displayed by a search engine, the advertiser typically pays a fee for each click, which is supposed to direct potential buyers to its products. Click fraud occurs when an individual or computer program fraudu- lently clicks on an online ad without any intention of learning more about the advertiser or making a purchase. Click fraud has become a serious problem at Google and other Web sites that feature pay-per-click online advertising. Some companies hire third parties (typically from low-wage countries) to fraudulently click on a competitor’s ads to weaken them by driving up their marketing costs. Click fraud can also be perpetrated with software programs doing the clicking, and botnets are often used for this purpose. Search engines such as Google attempt to monitor click fraud but have been reluctant to publicize their efforts to deal with the problem.

G l o b a l T h r e a t s : C y b e r t e r r o r i s m a n d C y b e r w a r f a r e The cyber criminal activities we have described—launching malware, denial-of- service attacks, and phishing probes—are borderless. China, the United States, South Korea, Russia, and Taiwan are currently the sources of most of the world’s malware (King, 2012). The global nature of the Internet makes it possible for cybercriminals to operate—and to do harm—anywhere in the world. Internet vulnerabilities have also turned individuals and even entire nation states into easy targets for politically-motivated hacking to conduct sabotage and espionage. Cyberwarfare is a state-sponsored activity designed to cripple and defeat another state or nation by penetrating its computers or networks for the purposes of causing damage and disruption.

TABLE 8 THE FIVE MOST EXPENSIVE DATA BREACHES

DATA BREACH DESCRIPTION U. Veterans Affairs Department In 2006, the names, birth dates, and social security numbers of 17 million military veterans and personnel were stolen from a laptop that a Department of Veterans Affairs employee had taken home. The VA spent at least $25 million to run call centers, send out mailings, and pay for a year of a credit- monitoring service for victims. Heartland Payment Systems In 2008, criminals led by Miami hacker Albert Gonzales installed spying software on the computer network of Heartland Payment Systems, a payment processor based in Princeton, NJ, and stole the numbers of as many as 100 million credit and debit cards. Gonzales was sentenced in 2010 to 20 years in federal prison, and Heartland paid about $140 million in fines and settlements. TJX A 2007 data breach at TJX, the retailer that owns national chains including TJ Maxx and Marshalls, cost at least $250 million. Cyber criminals took more than 45 million credit and debit card numbers, some of which were used later to buy millions of dollars in electronics from Walmart and elsewhere. Albert Gonzales, who played a major role in the Heartland hack, was linked to this cyberattack as well. Epsilon In March 2011, hackers stole millions of names and e-mail addresses from the Epsilon e-mail marketing firm, which handles e-mail lists for major retailers and banks like Best Buy, JPMorgan, TiVo, and Walgreens. Costs could range from $100 million to $4 billion, depending on what happens to the stolen data, with most of the costs from losing customers due to a damaged reputation. Sony In April 2011, hackers obtained personal information, including credit, debit, and bank account numbers, from over 100 million PlayStation Network users and Sony Online Entertainment users. The breach could cost Sony and credit card issuers up to a total of $2 billion.

334 Part Two Information Technology Infrastructure

In general, cyberwarfare attacks have become much more widespread, sophisticated, and potentially devastating. There are 250,000 probes trying to find their way into the U. Department of Defense networks every hour, and cyberattacks on U. federal agencies have increased 150 percent since 2008. Over the years, hackers have stolen plans for missile tracking systems, satellite navigation devices, surveillance drones, and leading-edge jet fighters. Cyberwarfare poses a serious threat to the infrastructure of modern societ- ies, since their major financial, health, government, and industrial institutions rely on the Internet for daily operations. Cyberwarfare also involves defend- ing against these types of attacks. The Interactive Session on Organizations describes some recent cyberwarfare attacks and their growing sophistication and severity.

####### INTERNAL THREATS: EMPLOYEES

We tend to think the security threats to a business originate outside the organization. In fact, company insiders pose serious security problems. Employees have access to privileged information, and in the presence of sloppy internal security procedures, they are often able to roam throughout an organization’s systems without leaving a trace. Studies have found that user lack of knowledge is the single greatest cause of network security breaches. Many employees forget their passwords to access computer systems or allow co-workers to use them, which compromises the system. Malicious intruders seeking system access sometimes trick employees into revealing their passwords by pretending to be legitimate members of the company in need of information. This practice is called social engineering. Both end users and information systems specialists are also a major source of errors introduced into information systems. End users introduce errors by entering faulty data or by not following the proper instructions for process- ing data and using computer equipment. Information systems specialists may create software errors as they design and develop new software or maintain existing programs.

####### SOFTWARE VULNERABILITY

Software errors pose a constant threat to information systems, causing untold losses in productivity. Growing complexity and size of software programs, coupled with demands for timely delivery to markets, have contributed to an increase in software flaws or vulnerabilities. For example, a software error in an iPad app for paying bills caused Citibank to double the charge for customer payments between July and December 2011. Some customers using their iPads to settle their cable bill or mortgage payment, for example, actually paid twice (Protess, 2012).

A major problem with software is the presence of hidden bugs or program code defects. Studies have shown that it is virtually impossible to eliminate all bugs from large programs. The main source of bugs is the complexity of decision-making code. A relatively small program of several hundred lines will contain tens of decisions leading to hundreds or even thousands of different paths. Important programs within most corporations are usually much larger, containing tens of thousands or even millions of lines of code, each with many times the choices and paths of the smaller programs.

Zero defects cannot be achieved in larger programs. Complete testing simply is not possible. Fully testing programs that contain thousands of choices and

Chapter 8 Securing Information Systems 335

What solutions for have been proposed for this problem? Do you think they will be effective? Why or why not?

C A S E S T U DY Q U E S T I O N S

Is cyberwarfare a serious problem? Why or why not?

Assess the management, organization, and technology factors that have created this problem.

What makes Stuxnet different from other cyberwarfare attacks? How serious a threat is this technology?

ligence, stated that if even a single large American bank were successfully attacked, it would have an order-of-magnitude greater impact on the global economy than the World Trade Center attacks, and that the ability to threaten the U. money supply is the financial equivalent of a nuclear weapon. Many security experts believe that U. cybersecu- rity is not well-organized. Several different agencies, including the Pentagon and the National Security Agency (NSA), have their sights on being the leading agency in the ongoing efforts to combat cyberwar- fare. The first headquarters designed to coordinate government cybersecurity efforts, called Cybercom, was activated in May 2010 in the hope of resolving this organizational tangle. In May 2011 President Barack Obama signed executive orders weaving cyber capabilities into U. military strategy, but

these capabilities are still evolving. Will the United States and other nations be ready when the next Stuxnet appears?

Sources: Brian Royer, “Stuxnet, The Nation’s Power Grid, And The Law Of Unintended Consequences, Dark Reading, March 12, 2012; Thomas Erdbrink, “Iran Confirms Attack by Virus That Collects Information,” The New York Times, May 29, 2012; Nicole Perlroth, “Virus Infects Computers Across Middle East,” The New York Times, May 28, 2012; Thom Shanker and Elisabeth Bumiller, “After Suffering Damaging Cyberattack, the Pentagon Takes Defensive Action,” The New York Times, July 15, 2011; Robert Leos, “Secure Best Practices No Proof Against Stuxnet,” CSO, March 3, 2011; Lolita C. Baldor, “Pentagon Gets Cyberwar Guidelines,” Associated Press, June 22, 2011; William J. Broad, John Markoff, and David E. Sanger, “Israel Tests on Worm Called Crucial in Iran Nuclear Delay,” The New York Times, January 15, 2011; George V. Hulme, “SCADA Insecurity” and Michael S. Mimoso, “Cyberspace Has Gone Offensive,” Information Security’s Essential Guide to Threat Management (June 14, 2011); and Sibhan Gorman and Julian A. Barnes, “Cyber Combat: Act of War,” The Wall Street Journal, May 31, 2011.

millions of paths would require thousands of years. Even with rigorous testing, you would not know for sure that a piece of software was dependable until the product proved itself after much operational use.

Flaws in commercial software not only impede performance but also create security vulnerabilities that open networks to intruders. Each year security firms identify thousands of software vulnerabilities in Internet and PC software. For instance, in 2011, Symantec identified 351 browser vulnerabilities: 70 in Chrome, about 50 in Safari and Firefox, and 50 in Internet Explorer. Some of these vulnerabilities were critical (Symantec, 2012).

To correct software flaws once they are identified, the software vendor creates small pieces of software called patches to repair the flaws without disturbing the proper operation of the software. An example is Microsoft’s Windows 7 Service Pack 1, which features security, performance, and stability updates for Windows 7. It is up to users of the software to track these vulnera- bilities, test, and apply all patches. This process is called patch management.

Because a company’s IT infrastructure is typically laden with multiple business applications, operating system installations, and other system services, maintain- ing patches on all devices and services used by a company is often time-consum- ing and costly. Malware is being created so rapidly that companies have very

Chapter 8 Securing Information Systems 337

little time to respond between the time a vulnerability and a patch are announced and the time malicious software appears to exploit the vulnerability.

8 BUSINESS VALUE OF SECURITY AND CONTROL

Many firms are reluctant to spend heavily on security because it is not directly related to sales revenue. However, protecting information systems is so critical to the operation of the business that it deserves a second look. Companies have very valuable information assets to protect. Systems often house confidential information about individuals’ taxes, financial assets, medical records, and job performance reviews. They also can contain information on corporate operations, including trade secrets, new product development plans, and marketing strategies. Government systems may store information on weapons systems, intelligence operations, and military targets. These information assets have tremendous value, and the repercus- sions can be devastating if they are lost, destroyed, or placed in the wrong hands. Systems that are unable to function because of security breaches, disasters, or malfunctioning technology can permanently impact a company’s financial health. Some experts believe that 40 percent of all businesses will not recover from application or data losses that are not repaired within three days (Focus Research, 2010). Inadequate security and control may result in serious legal liability. Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so may open the firm to costly litigation for data exposure or theft. An organization can be held liable for needless risk and harm created if the organization fails to take appro- priate protective action to prevent loss of confidential information, data corrup- tion, or breach of privacy. For example, BJ’s Wholesale Club was sued by the U. Federal Trade Commission for allowing hackers to access its systems and steal credit and debit card data for fraudulent purchases. Banks that issued the cards with the stolen data sought $13 million from BJ’s to compensate them for reimbursing card holders for the fraudulent purchases. A sound security and control framework that protects business information assets can thus produce a high return on investment. Strong security and control also increase employee productivity and lower operational costs.

####### LEGAL AND REGULATORY REQUIREMENTS FOR

####### ELECTRONIC RECORDS MANAGEMENT

Recent U. government regulations are forcing companies to take security and control more seriously by mandating the protection of data from abuse, exposure, and unauthorized access. Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection. If you work in the health care industry, your firm will need to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA outlines medical security and privacy rules and procedures for simplifying the administration of health care billing and automating the transfer of health care data between health care providers, payers, and plans. It requires members of the health care industry to retain patient information for six years and ensure the confidentiality of those records. It specifies privacy, security, and electronic transaction standards for health care providers handling patient information,

338 Part Two Information Technology Infrastructure

Recovering data from computers while preserving evidential integrity
Securely storing and handling recovered electronic data
Finding significant information in a large volume of electronic data
Presenting the information to a court of law Electronic evidence may reside on computer storage media in the form of computer files and as ambient data, which are not visible to the average user. An example might be a file that has been deleted on a PC hard drive. Data that a computer user may have deleted on computer storage media can be recovered through various techniques. Computer forensics experts try to recover such hidden data for presentation as evidence. An awareness of computer forensics should be incorporated into a firm’s contingency planning process. The CIO, security specialists, information systems staff, and corporate legal counsel should all work together to have a plan in place that can be executed if a legal need arises. You can find out more about computer forensics in the Learning Tracks for this chapter.

8 ESTABLISHING A FRAMEWORK FOR SECURITY

And control.

Even with the best security tools, your information systems won’t be reliable and secure unless you know how and where to deploy them. You’ll need to know where your company is at risk and what controls you must have in place to protect your information systems. You’ll also need to develop a security policy and plans for keeping your business running if your information systems aren’t operational.

####### INFORMATION SYSTEMS CONTROLS

Information systems controls are both manual and automated and consist of general and application controls. General controls govern the design, security, and use of computer programs and the security of data files in general through- out the organization’s information technology infrastructure. On the whole, general controls apply to all computerized applications and consist of a com- bination of hardware, software, and manual procedures that create an overall control environment. General controls include software controls, physical hardware controls, computer operations controls, data security controls, controls over implemen- tation of system processes, and administrative controls. Table 8 describes the functions of each of these controls. Application controls are specific controls unique to each computer- ized application, such as payroll or order processing. They include both automated and manual procedures that ensure that only authorized data are completely and accurately processed by that application. Application controls can be classified as (1) input controls, (2) processing controls, and (3) output controls. Input controls check data for accuracy and completeness when they enter the system. There are specific input controls for input authorization, data conversion, data editing, and error handling. Processing controls establish that data are complete and accurate during updating. Output controls ensure that the results of computer processing are accurate, complete, and properly distributed.

340 Part Two Information Technology Infrastructure

You can find more detail about application and general controls in our Learning Tracks.

####### RISK ASSESSMENT

Before your company commits resources to security and information systems controls, it must know which assets require protection and the extent to which these assets are vulnerable. A risk assessment helps answer these questions and determine the most cost-effective set of controls for protecting assets. A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. Not all risks can be anticipated and measured, but most businesses will be able to acquire some understand- ing of the risks they face. Business managers working with information systems specialists should try to determine the value of information assets, points of vulnerability, the likely frequency of a problem, and the potential for damage. For example, if an event is likely to occur no more than once a year, with a maximum of a $1,000 loss to the organization, it is not wise to spend $20,000 on the design and maintenance of a control to protect against that event. However, if that same event could occur at least once a day, with a potential loss of more than $300,000 a year, $100,000 spent on a control might be entirely appropriate. Table 8 illustrates sample results of a risk assessment for an online order processing system that processes 30,000 orders per day. The likelihood of each exposure occurring over a one-year period is expressed as a percentage. The next column shows the highest and lowest possible loss that could be expected each time the exposure occurred and an average loss calculated by adding the highest and lowest figures together and dividing by two. The expected annual loss for each exposure can be determined by multiplying the average loss by its probability of occurrence. This risk assessment shows that the probability of a power failure occurring in a one-year period is 30 percent. Loss of order transactions while power is down could range from $5,000 to $200,000 (averaging $102,500) for each occurrence,

TABLE 8 GENERAL CONTROLS

TYPE OF GENERAL CONTROL DESCRIPTION Software controls Monitor the use of system software and prevent unauthorized access of software programs, system software, and computer programs. Hardware controls Ensure that computer hardware is physically secure, and check for equipment malfunction. Organizations that are critically dependent on their computers also must make provisions for backup or continued operation to maintain constant service. Computer operations controls Oversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. They include controls over the setup of computer processing jobs and backup and recovery procedures for processing that ends abnormally. Data security controls Ensure that valuable business data files on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage. Implementation controls Audit the systems development process at various points to ensure that the process is properly controlled and managed. Administrative controls Formalize standards, rules, procedures, and control disciplines to ensure that the organization’s general and application controls are properly executed and enforced.

Chapter 8 Securing Information Systems 341

Multiple Choice

Course : Management Information Systems (BMIS300)

University : lebanese international university.

Discover more from: Management Information Systems BMIS300 Lebanese International University 69 Documents Go to course
More from: Management Information Systems BMIS300 Lebanese International University 69 Documents Go to course

For educators
English (US)
English (India)
English (UK)
Greek Alphabet

This problem has been solved!

You'll get a detailed solution from a subject matter expert that helps you learn core concepts.

Question: 354 Part Two Information Technology Infrastructure INTERACTIVE SESSION: TECHNOLOGY MWEB BUSINESS: HACKED MWEB, launched in 1997, became South Africa's • High-speed antivirus/antispyware software with leading ISP in 1998. It has established itself as a automatic updates company that provides a cutting-edge network and • An enhanced firewall service

student submitted image, transcription available below

This AI-generated tip is based on Chegg's full solution. Sign up to see more!

Identify the specific technology issues that contributed to the security breach at MWEB by examining the compromised components and understanding the role of the Internet Solutions' self-service management system.

1. Subscribers account information, leaked logon and password details that were published on the internet by hackers and MWEB's former web-based self-service management system outsourcing to the Internet Solution have not yet moved to the current MWE …