information security and control threats | lecture notes in MIS

Information Technology and computers have brought about a paradigm shift in the way the corporate organizations operate. There is a significant impact of IT and computers on the business processes, an evolution of new products/ services, improved profits, global integration and more efficient and effective allocation and utilization of resources, among others. IT and computers have indeed heralded the “Information Age.” Resultantly, “Information” itself has emerged as one of the most valuable and sought after “Resource,” conferring the competitive advantage on those organizations, which have it. However, those organizations which missed the bus did try to regain their position by sometimes, poaching or on other occasions, trying to encroach upon the Information Resource base of their competitors, by cracking or breaking into the Information/Computer Systems of their leading counterparts. The spread of Internet and the relative ease of access made this task of “Information Breach” relatively easier. The cracking or breaking into the computer system by way of malicious and unauthorized access could be any one of the following or otherwise:

i. Unauthorized reading of data (theft of information)
ii. Unauthorized modification of data
iii. Unauthorized destruction of data

WHY BREAK IT SYSTEM SECURITY

There could be some reasons as to why people/organizations would want to crack or break into the computer systems of their competitors, in particular. Some of the most popular reasons could be mentioned as follows:

i. Revenge
ii. Money
iii. A shot at/of notoriety
iv. The challenge of doing “IT.”

Regardless of the reasons, there is no denying the fact there continued to be some attempts some successful, some failed against the computer/ IT systems security. It then became apparent, indeed imperative, that the organizational “Information Resources” needed to be guarded, protected and controlled by such unauthorized and undesired access as, otherwise, not only the data, the networks and the information infrastructure but, ultimately, the organization itself could be at risk.

INFORMATION SECURITY THREATS

There are two different types of threats/problems:
1. External threat
2. Internal Threat

With the prevalence of remote access, the World Wide Web, intranets, and extranets, the distinction/difference between the external threats and the internal threats is more often blurred and hazy. Thus, the difference is more logical than a physical one.

1. External security threats: The external threats would be those emanating from outside the organization. To provide protection against these threats, the following issues need to be addressed: a. Internet connections: Normally, in every organization, there are relatively few, identifiable Internet connections. It is, therefore, relatively easy to focus on them and exercise control. This connection should be protected by a “Firewall.” Firewalls are hardware and software combinations that guard the border between the corporate Inter/Intranet (private access) and the Internet (public access). Firewalls can control who can surf the Web, download files, etc. Firewalls can also hide the organizational network’s identity from the rest of the world on the Internet, as the corporate internal IP address is never used. It should be remembered that I f the organization’s Internet connections are not protected by firewalls, it would be like going away on leave/vacation/holidays and leaving the door unlocked. It would be an invitation for disaster as, while there may not be any visible indication that you are vulnerable, the first person who comes knocking on the door is going to find out that the door is open and not locked, and he may not be exactly your best and trusted friend.

b. Remote dial-in capabilities:

While the Internet connections are few and easy to watch/control, the threats from dial-in are real. There might be hundreds of dial-in threats, most of which might be unknown to the security administration. Any user in the organization with a phone line and a modem attached to his PC can be an exposed to external access. While controlling remote dial-in capabilities, the following aspects need to be given due weight/considerations:

i. Remote access
ii. Remote Access Servers (RAS)
iii. Server ID
iv. The weak points of the system environment

2. Internal security threats: It is thought that the people who are employees of the company are on “our” side and the real threat to security comes from “outside.” Security threats can also come from within the organization. It is, therefore, imperative that formal security policies/measures are carefully designed and scrupulously followed to ensure the best protection and prevent security breaches. The policies/standards need to address the following aspects:

a. Passwords: Password should be at least five characters in length. It should be neither the same as the user’s ID nor be a common word. It should expire/change regularly, and reuse of the older password should not be permitted. Some software, with the ability to disable An ID if too many or specified failed attempts are made within a specified period, should be installed.

b. User terminations: When the user ceases to be an employee, intern, temporary associate or consultant/contractor, the user security administrator must be informed immediately, so that the user ID could be terminated.

c. Special privilege IDs: Certain functionaries like Network/System Managers are allotted unique IDs and passwords called Root, Supervisor or Administrator ID/Passwords providing “Carte Blanche” access to the network. These passwords too should be changed regularly and changed immediately when someone who knows them leaves the organization.

d. Access review: There are some users and hundreds of thousands, if not millions, of files on computer networks. Some user administrator review must be undertaken twice or thrice a year to ensure that unauthorized users are not given access.

e. Authorisation levels: It must be made clear as to who has authority over what. It must also be ensured that the requests for authorization permitting access to relevant database files are received and issued in writing, usually via e-mail. Further, the user could be assigned several forms of authorisation for access to parts of the database. The authorisation could be:

• Read authorisation
• Insert authorisation
• Update authorisation
• Delete authorisation
• Index authorisation
• Resource authorization
• Actuation authorisation
• Drop permission

f. User information: The users should be made aware of the security issues.

g. Routine Maintenance: Routine maintenance should mainly cover activities like, IDs that have not been used in a predefined period should be disabled. Logs giving details about unsuccessful login attempts should be reviewed and investigated. Files that have not been accessed for quite some time should be purged to free up space.

h. Software updates: Security administrators should regularly check with the software vendors to obtain and apply the latest software updates or patches that help close security gaps/holes.

i. Virus checking: Viruses are any type of programming code that intentionally causes a system disruption, shut down or loss of data. The disruption might be harmless or even amusing like displaying the message, “Feel like the banana?” on the computer screen. The disruption could also be hostile and destructive leading to erasing of files/data on hard drives without any intimation. There are many types of viruses including those known as “Trojan Horses” and “Worms.” Some other major viruses are “Melissa,” “Chernobyl,” “Explorer Zip.Worms”, “I Love You,” “Code Red” and “WBL SQL Slammer,” among others. Viruses, therefore, have been occupational annoyances/hazards for the IT professionals. As, however, viruses pose a genuine threat to security, due, in fact, particular attention has to be paid to the virus protection programs, policies and procedures. Installation of anti-virus software is, hence, a must. Pattern files, which contain all the information that the actual anti-viruses program uses to look for the virus, must be updated regularly. Further, as e-mail has become the most prevalent form of propagating viruses, anti-virus software should be installed on mail servers to scan message attachments. Some of the anti-virus software products currently in use are k. Symantec’s Norton Antivirus, McAfee Antivirus, Kaspersky Antivirus, etc. Physical considerations: be controlled. Access tot limited on the need basis. Other IT areas like auxiliary storages, wiring closets, etc. should be locked. Even printed report distribution should be controlled, and apart from the door locks and access cards, shredders should be made available to dispose of redundant output. Visitors should be personally escorted within the premises.

K. Audit trails: It can/should be made mandatory to maintain an audit trail. An audit trail is a log of all changes (inserts/deletes/updates) to the database, along with information such as which user performed the change and when the change was performed. The audit trails help “security” and “control” in many ways such as:

i. Tracing all the updates delivered.
ii. Finding incorrect/fraudulent updates.
iii. Finding the person who carried out the updates.

Audit trails could be created by defining appropriate triggers on relation updates. Audit trails could also be based on built-in mechanisms.

Leave a Reply