35 Security Issues
Ms.Vinodini Kapoor
- Learning Outcome:
- Develop an understanding of concerns regarding security issues relating information systems.
- Understand potential security issues and computer crimes.
- Understand the security and ethical responsibility of business professionals.
- Understand the concept of information systems security audit.
- Get an overview of security measures for MIS systems.
- Introduction
Data and information are critical for a company to protect. Information systems hold confidential information about individuals’ taxes, financial assets, medical records, and job performance reviews. They may also contain information on corporate strategic decisions, new product development plans, and marketing strategies.
Government systems may store information on weapons systems, intelligence operations, and military targets. These information assets are the knowledge bank of the organization, and the repercussions can be devastating if they are tampered, lost, destroyed, or placed in the wrong hands (Refer Exhibit 2).
The vital role of information technologies and systems don’t just impact the organizational climate but have an impact on employment, individuality, working conditions, privacy and computer crime. Thus, while IS can be a boon, it shall also have detrimental effects on society and people in each of the areas.
The digital world raises concerns and poses important questions such as who is the actual owner of information. Who is responsible for making the information accurate? Should we set guidelines on how business organizations and business professionals should use information, computer systems and information?
Securing data is as much essential as capturing data. With organizations accumulating enormous amount of data, it is of paramount importance to ensure end to end security of data and protection of information it yields. Negligence in this regard can cause security breach and mishandling of customer specific information. This could be related to personal information, credit or debit card details, transaction related information and those linked to databases. Hackers tend to take advantage of a weak data encryption system and may steal credit card data during a wireless transfer. This is possible if a system is not protected by any firewall. Unauthorized access to databases and servers can tempt hackers to tamper with critical information. One of the most common ways a system’s security is breached is through malware being downloaded by the user. In almost every case where malware is installed, the reason is because the user was tricked into downloading it. Hence, lays the inevitable need for companies to divulge into details that shall prevent the improper outflow of sensitive data that can happen from the trespassing or deliberate actions of insiders or cyber attackers. |
With a surge of internet based applications and enormous data, the concept of cloud computing has gained momentum. With cloud computing one can run applications over a hosted platform using the internet. This helps in sharing the hardware and infrastructure using web as a medium. However, the underlying concern for data security is of paramount importance as highlighted in exhibit 3.
- Security concerns in MIS implementation.
There are two major aspects of information system security. These can be stated as:
- Security of the technology used – It is very important to protect the system from malicious threats and cyber-attacks that may break into the system and access business critical information. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The elements are confidentiality, possession, integrity, authenticity, availability, and utility.
- Security of data – Ensuring data integrity when critical issues, arise such as natural disasters, malfunction, theft or trespassing etc. It is important to maintain backup in case of a failover. Data security refers to protection from external threats as well as internal threats and physical threats to hardware or over the air attacks to system software. Businesses are sensitive to proprietary customer data traveling over network lines.
For any individual or organization that uses computer technology, security threats are evolving and becoming increasingly dangerous. This makes it imperative to understand the types of computer threats that may affect a computer system or a network.
1. Hacking –Information Technology Act 2000, section 66, defines the term of hacking as the unauthorized access to computer systems and networks. The concept of hacking deals with by-passing security protocols to gain unauthorized access to a system. Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.
A system when hacked may deal with the following;
- Remote access to systems where software programs have been installed to spy on the user activity.
- Access to sensitive information.
- SQL (Structured Query Language) injection and exploiting vulnerabilities in the database software to gain access, social engineering techniques that trick users submitting ID’s and passwords, etc.
- Unauthorized Access – ‘Access’ is defined in Section 2(1)(a) of the IT Act as “gaining entry into, instructing or communicating with the logical, means of any kind without permission of either the rightful owner or the person in-charge of a computer, computer system or network.” The standard convention is to use a combination of a username and a password. Hackers can snoop if the user does not follow security best practices.
Organizations use mobile devices to detect any such activity or trace the IP address of an unauthorized user to provide additional security. For example, if Google is suspicious of the login on an account, they will ask the about to login to confirm their identity using mobile devices or send an SMS number which should supplement the username and password. The users are required to answer security questions accurate during signup such as the name of their first pet, maiden name etc
- Packet Sniffing – Interception and then decryption of data packets is called packet sniffing. These packets are termed as data grams. To simplify, data gram is the basic transfer unit associated with packet sniffed network. They comprise of various sizes as per network bandwidth. The data is measured in bytes. Each is identified by its ‘header’ which carries information about various attributes like source, destination, packet size etc.
- Tempest Attack – The word tempest stands for Transient electromagnetic pulse emulating standard. Tempest is the ability to monitor electromagnetic emissions from computers in order to reconstruct the data. This procedure involves the remote monitoring of network cables. It is important to note that certain fonts remove the high frequency information. This further reduces the ability to view text on the screen remotely.
- Password Cracking – When the password is decrypted by bypassing a protection scheme it refers to password cracking. A password implies a combination of characters or a secret word or phrase that a user must know in order to gain access to a system.
- Buffer Overflow – Buffer overrun, input overflow and unchecked buffer overflow is the most common way of breaking into a computer. It involves input of excess data into a computer. This may enter into the computer’s memory allowing the hacker to run executable code along with the input thus enabling the hacker to break into the computer.
- Phishing – As shown in exhibit 12, phishing refers to have websites that send text and email messages prompting the receiver to enter confidential personal data. These look like genuine senders seeking details like PAN number, social security and bank details which are mapped in their databases. This is seen to be a common practice by responding to the e-mail message, by entering the information at a fraud web site, or by calling a telephone number. EBay, PayPal, Walmart, and a variety of banks, are among the top spoofed companies.
- Viruses – The computer virus can also cause damage by destroying or altering data on a computer. A virus spreads at an alarming rate as it is self propagating in nature. The reason a virus spreads faster is due to opening an infected file or attachment. Y2K, Code Red and among some damaging viruses. The damage can be serious to an extent that it can affect the operating system. “Code Red” is capable of slowing down the internet and other computer processes by hooking itself onto other computers once the email is sent, thus creating a very damaging chain-reaction.
- Spamming – Spamming is the practice of sending unsolicited e-mail and other electronic communication. Spamming is one of the easiest methods to infest a computer system. The spammers involved in broadcasting such e-mails are charged a very minimal fee to send out the e-mails to users who have not requested the information. Although there exist laws prohibiting the use of spamming but they are hardly enforced.
- Security as an ethical responsibility of professionals
Business and IT activities involve many ethical considerations. Basic principles of technology and business ethics can serve as guidelines for business professionals when dealing with ethical business issues that may arise in the widespread use of information technology in business and society.
When large amounts of data are stored in electronic form, they are vulnerable to many more kinds of threats than when they existed in manual form. Through communications networks, information systems in different locations are interconnected. The potential for unauthorized access, abuse, or fraud is not limited to a single location but can occur at any access point in the network.
- One of the most important responsibilities of the management of a company is to ensure the security and quality of its IT-enabled business activities. Security management tools and policies can ensure the accuracy, integrity, and safety of the information systems and resources of a company and thus minimize errors, fraud, and security losses in its business activities.
- The use of encryption of confidential business data, firewalls, e-mail monitoring, antivirus software, security codes, backup files, security monitors, biometric security measures, computer failure controls, fault-tolerant systems, disaster recovery measures, information system controls, and security audits of business systems are among various measures to ensure security.
- Firewalls prevent unauthorized users from accessing private networks. It is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. The firewall acts like a gatekeeper who examines each user’s credentials before access is granted to a network. The firewall identifies names, IP addresses, applications, and other characteristics of incoming traffic. It checks this information against the access rules that have been programmed into the system by the network administrator. The firewall prevents unauthorized communication into and out of the network.
- Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable points or “hot spots” of corporate networks to detect and deter intruders continually. The system generates an alarm in its event of some suspicious or anomalous event. Scanning software looks for patterns indicative of known methods of computer attacks, such as bad passwords, checks to see if important files have been removed or modified, and sends warnings of vandalism or system administration errors.
- Auditing
The IT audit is the responsible for assessment and evaluation of the functionality of the information systems and operations. The compliance determines if the system in place is actually securing assets while maintaining integrity and confidentiality of data. This helps to analyze how effectively and efficiently the platform would be capable to achieve organization’s goals or objectives. This is also termed as a technology audit. Aspects of the technology audit are shown in Exhibit 18.
Exhibit 18: Information System – Technology Audit
Image Source: http://www.aisaconsulting.com/images/technology-Audit.png
IT audit is responsible to evaluate the security standards and technology protocols. It determines to what extent the organization is using best practices to follow security measures and guard data. It further ensures if the right information is made available to the right user authorized to access it. The focus of this process is to determine risks relevant to information assets and in assessing controls to reduce or mitigate these risks.
To sum up, the main aim of the IT audit is to check for,
- Availability – Will the organization’s computer systems be available for the business at all times whenever required?
- Confidentiality – Will the information in the systems be disclosed to only authorize users who need access to it?
- Integrity – It implies if the information provided by the system always be authentic, reliable and as per necessary timeframe?
5.1 Types of Information Technology Audit
There exist different terminologies to distinguish the various types of IT Audits.
- Technological innovation process audit – This method creates an assessment profile for all The audit is required to check the extent of the company’s experience in technology and its presence in specific markets and the organization of the project.
- Innovation and comparison audit – This technique conducts an analysis of the organizational abilities with respect to its competitors. This closely monitors the research and development and previous record in new product development.
- Technological audit – This audit makes an assessment of technologies that the business currently has and which it needs to add. Technologies are assigned the nomenclature as being “base” or “key” or “pacing” or “emerging.”
Further the portfolio of IT Audit also covers,
- Systems and Applications – This aims to verify that all applications are sufficiently as per valid and accurate input, processes and output.
- Systems development audit – The aim is to verify that system under development is in accordance with the organizational objectives as well as the generally accepted principles and standards for system development.
- Information processing facilities – This method of audit checks the processing facility to be in compliance to ensure timely, accurate and efficient processing of applications.
- Intranets and Extranets – This audit verifies that controls are in place on the client/server and on the network connecting client and servers.
- Management of IT and over all architecture – Audit to verify the IT management function and system architecture to ensure an efficient framework for information processing.
5.2 Information systems security audit.
Audit refers to a detailed inspection which is an evaluation of an organization’s code of conduct. It assesses to what extent the data is in compliance with policies, processes, and practices for safeguarding electronic information from damage, loss or denial of availability. The scope of work is inclusive of general as well as application controls. It is essential for the audit steps to relate to testing controls of access points. This helps to establish the connectivity of local area networks, wide area networks, intranet, internet etc in the IT environment.
IS Security audit can be performed in engagements where
- The specific audit objective is to evaluate security
- The audit objectives are much broader but evaluating security is a necessary subset.The potential security objectives for an IS security audit are:
- To support financial statement audits such as assessing IS security controls, this assessment may affect the nature and extent of financial audit steps to be performed as well as provide timely support for needed improvements in computer related controls.
- Support for performance audits such as assessing how well an information system protects the integrity and reliability of data and the effect of this level of protection on program performance.
- To supplement IT audits by assessing the effectiveness of security within the context of a general or application specific control audit.
- To provide independent system security audit so that the risks are clearly identified and can be addressed.
- To support investigative or forensic audits by identifying unauthorized access to manipulation of sensitive data.
- To provide an auditor’s perspective on IS security during system development, so that controls can be appropriately designed into the system. The organization’s objectives for developing an IS audit capability may combine the above or vary from them.
6.Security measures for MIS systems
An effective information security platform requires the prevention of unauthorized access to individuals or systems from accessing the information.
- It is essential to maintain the accuracy and consistency of data over its entire life-cycle. Ensuring that the computing systems, the security parameters used to protect it and the communication channels that are used to access it, function correctly all the time, thus making information available in all situations.
- It is imperative to maintain data log for transactions, communications for maintaining backup security and data integrity.
- Maintaining integrity of a transaction is very crucial by validating that both parties involved are genuine. It is necessary to use authentication techniques like “digital signatures” and two factor authentications.
- Incorporating non-repudiation i.e., once a transaction takes place, none of the parties can deny, either having received a transaction, or having sent a transaction. In this case proper reconciliation process to take place with acknowledgement of settlement.
- It is important to safeguard data and the interaction stored and shared in network systems.
- Organizations can incorporate security by implementing fundamental strategies such as using only licensed copies of software which are unlikely to have viruses installed on them and by limiting access to computers and files on those computers. Just as physical files have limited access points, so data files should also be limited to those individuals who have a business reason for viewing the files.
- Passwords and access codes provide security at each level. The requirement of data security is proportional to an organization’s dependence on information technology.
- However, it should be noted that when information is at risk, the corresponding security technology, can handle only a small fraction of repercussions of risk.
- Summary
Power is usually associated with a certain degree of responsibility. With the use of information systems, come a plethora of new opportunities and business applications. However, they also induce issues that can negatively affect society as well as internal business processes. Hence, the most important condition for sustainability of information systems is the ability to safeguard all sorts of electronic transactions that occur. Lack of security is one of the biggest hurdles in the growth of e-Commerce. Unless an electronic transaction is secure it is difficult to determine its authenticity. The users will be hesitant to send confidential information over the net. For any individual or organization that relies on computer technology, security threats are evolving and becoming increasingly dangerous. Computer users are involved at an arms race with hackers and virus writers. This makes it imperative to understand the types of security issues that may affect a computer system or a network of computers
you can view video on Security Issues |
Web Resources
- https://www.theguardian.com/technology/2016
- http://www.ijecbs.com