CHAPTER 5

Protecting Information Resources

Learning Objectives:
5-1 Understand cybercrime and its impact on the global economy.
5-2 Describe information technologies that could be used in computer crimes.
5-3 Describe basic safeguards in computer and network security.
5-4 Identify the nine most common intentional security threats.
5-5 Describe the nine security measures and enforcement that a comprehensive security system
should include.
5-6 Summarize the guidelines for a comprehensive security system including business continuity
planning.

Terms to learn in this chapter:

Access controls Biometric security measures Confidentiality

Adware Black hats Cryptojacking
Asymmetric encryption Blended threats Data encryption
Availability Business continuity plan- Denial-of-service attacks
ning Key Terms
Backdoors
Call-back modem Fault-tolerant systems
Baiting
Computer fraud Firewall
Integrity Intrusion detection system
(IDS)
Keystroke loggers Pharming PKI (public key infrastruc-
ture)
Logic bombs Phishing
Password Physical security measures
Quid pro quo Script kiddies
Rootkits Secure Sockets Layer (SSL)
Sniffing Transport Layer Security Virus
(TLS)
Social engineering White hats
Trojan programs
Spoofing Worm
Virtual private network
Spyware (VPN) Zero trust security
Symmetric encryption

Source of Information: MIS 10 – Management Information Systems – 10th Edition – Bidgoli - Cengage
Risks Associated with Information Technology

Information technologies can be misused to invade users’ privacy and commit computer crimes. The
following sections describe some of these misuses and discuss related privacy issues. The total cost
will also include the expense of enhancing and upgrading a company’s network security after an at-
tack.

The cost of Cyber Crime to the Global Economy

The costs will include loss of revenue, stolen identities, intellectual property, and trade secrets as
well as the damage done to companies’ and individuals’ reputation.

Spyware and Adware

Spyware is software that secretly gathers information about users while they browse the Web. This
information could be used for malicious purposes.

Adware is a form of spyware that collects information about the user (without the user’s consent) to
determine which advertisements to display in the user’s Web browser. In addition to antivirus soft-
ware, an ad-blocking feature should be installed in your Web browser to protect against adware.

Phishing, Pharming, Baiting, Quid Pro Quo, SMiShing, and Vishing

Phishing is sending fraudulent e-mails that seem to come from legitimate sources, such as a bank or
university.

Similar to phishing, pharming is directing Internet users to fraudulent Web sites with the intention of
stealing their personal information, such as Social Security numbers, passwords, bank account num-
bers, and credit card numbers. The difference is that pharmers usually hijack an official Web site ad-
dress, then alter its IP address so that users who enter the correct Web address are directed to the
pharmer’s fraudulent Web site.

Baiting is in similar to phishing attacks. What distinguishes it from phishing is the promise that the
baiter gives to the recipient.

Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login in-
formation in exchange for a service or prize.

Keystroke Loggers - monitor and record keystrokes and can be software or hardware devices.

Sniffing and Spoofing

Sniffing is capturing and recording network traffic. Although it can be done for legitimate reasons,
such as monitoring network performance, hackers often use it to intercept information.

Spoofing is an attempt to gain access to a network by posing as an authorized user in order to find
sensitive information, such as passwords and credit card information. Spoofing also happens when
an illegitimate program poses as a legitimate one.

Computer Crime and Fraud

Source of Information: MIS 10 – Management Information Systems – 10th Edition – Bidgoli - Cengage
Computer fraud is the unauthorized use of computer data for personal gain, such as transferring
money from another’s account or charging purchases to someone else’s account.

In addition to phishing, pharming, and spoofing, computer crimes include the following:

 Denial-of-service attacks, which inundate a Web site or network with e-mails and other net-
work traffic so that it becomes overloaded and cannot handle legitimate traffic.
 Identity theft, such as stealing Social Security numbers for unauthorized use (The informa-
tion box “Identity Theft at the Internal Revenue Service” discusses identity theft at the In-
ternal Revenue Service.)
 Software piracy and other infringements of intellectual property
 Distributing child pornography
 E-mail spamming
 Writing or spreading viruses, worms, Trojan programs, and other malicious code
 Stealing files for industrial espionage
 Changing computer records illegally
 Virus hoaxes, in which individuals intentionally spread false statements or information
through the Internet in such a way that readers believe they are true.

Computer and Network Security: Basic Safeguards

Computer and network security has become critical for most organizations, especially in recent
years, with hackers becoming more numerous and more adept at stealing and altering private in-
formation.

A comprehensive security system protects an organization’s resources, including information, com-

puter, and network equipment.

There are three important aspects of computer and network security:

1. Confidentiality means that a system must not allow the disclosing of information by anyone
who is not authorized to access it.
2. Integrity refers to the accuracy of information resources within an organization.
3. Availability means that computers and networks are operating, and authorized users can ac-
cess the information they need.

Security Threads: An Overview

Computer and network security are important to prevent loss of, or unauthorized access to, import-
ant information resources. Some threats can be controlled completely or partially, but some cannot
be controlled.

International Threats

 Intentional computer and network  Backdoors

threats include:  Blended threats (e.g., a worm
 Viruses launched by a Trojan)
 Worms  Rootkits
 Trojan programs  Denial-of-service attacks
 Logic bombs  Social engineering
Source of Information: MIS 10 – Management Information Systems – 10th Edition – Bidgoli - Cengage
  Cryptojacking

Security Measures and Reinforcement: An Overview

Biometric Security Measures - use a physiological element that is unique to a person and cannot be
stolen, lost, copied, or passed on to others.

Nonbiometric Security Measures

The three main nonbiometric security measures are:

 Call-back modems - verifies whether a user’s access is valid by logging the user off (after he
or she attempts to connect to the network) and then calling the user back at a predeter-
mined number.
 Firewalls - a combination of hardware and software that acts as a filter or barrier between a
private network and external computers or networks, including the Internet. A network ad-
ministrator defines rules for access, and all other data transmissions are blocked.
 Intrusion Detection Systems (IDS) - can protect against both external and internal access. It
is usually placed in front of a firewall and can identify attack signatures, trace patterns, gen-
erate alarms for the network administrator, and cause routers to terminate connections
with suspicious sources.

Physical Security Measures - primarily control access to computers and networks, and they include
devices for securing computers and peripherals from theft.

Source of Information: MIS 10 – Management Information Systems – 10th Edition – Bidgoli - Cengage
Access Controls - are designed to protect systems from unauthorized access in order to preserve
data integrity.

Virtual Private Networks - provides a secure “tunnel” through the Internet for transmitting messages
and data via a private network (see Exhibit 5.6). It is often used so remote users have a secure con-
nection to the organization’s network.

Data Encryption - transforms data, called plaintext or cleartext, into a scrambled form called cipher-
text that cannot be read by others. The rules for encryption, known as the encryption algorithm, de-
termine how simple or complex the transformation process should be. The receiver then un-
scrambles the data by using a decryption key.

E-Commerce Transaction Security Measures

E-commerce transaction security is concerned with the following issues:

 Confidentiality—How can you ensure that only the sender and intended recipient can read
the message?
 Authentication—How can the recipient know that data is actually from the sender?
 Integrity—How can the recipient know that the data’s contents have not been changed dur-
ing transmission?
 Nonrepudiation of origin—The sender cannot deny having sent the data.
 Nonrepudiation of receipt—The recipient cannot deny having received the data.

Source of Information: MIS 10 – Management Information Systems – 10th Edition – Bidgoli - Cengage
Computer Emergency Response Team - The Computer Emergency Response Team (CERT) was de-
veloped by the Defense Advanced Research Projects Agency (part of the Department of Defense) in
response to the 1988 Morris worm attack, which disabled 10 percent of the computers connected to
the Internet. Many organizations now follow the CERT model to form teams that can handle network
intrusions and attacks quickly and effectively.

Zero Trust Security - a relatively new security model that requires every person and every device
that accesses a network must be secured regardless if it is within the organization or outside of it.

Guidelines for a Comprehensive Security System

An organization’s employees are an essential part of the success of any security system, so training
employees about security awareness and security measures is important. Some organizations use a
classroom setting for training, and others conduct it over the organization’s intranet.

The is several steps that need to be considered when developing a comprehensive security plan
(refer to page 129-130 of the textbook)

Business Continuity Planning

To lessen the effects of a natural disaster or a network attack or intrusion, planning the recovery is
important. This should include business continuity planning, which outlines procedures for keeping
an organization operational.

A disaster recovery plan lists the tasks that must be performed to restore damaged data and equip-
ment as well as steps to prepare for a disaster, such as the following:

 Back up all files.

 Periodically review security and fire standards for computer facilities.
 Periodically review information from CERT and other security agencies
 Make sure staff members have been trained and are aware of the consequences of possible
disasters and steps to reduce the effects of disasters.
 Test the disaster recovery plan with trial data, and many others that can be found on page
130 of the textbook.

Source of Information: MIS 10 – Management Information Systems – 10th Edition – Bidgoli - Cengage