CHAPTER 4: Information Security

In these post I will highlight the most important point in every section of chapter four

4.1 Introduction to Information Security

*Five Factors Increasing the Vulnerability of Information Resources:-

• Today’s interconnected, interdependent, wirelessly-networked business environment
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be a hacker
• Organized crime taking over cybercrime
• Lack of management support

4.2 Unintentional Threats to Information Systems

*Human Errors:

• Carelessness with laptops and portable computing devices
• Opening questionable e-mails
• Careless Internet surfing
• Poor password selection and use

*Social Engineering:

Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords.

Two examples:

• Tailgating: To deter tailgating, many companies have anti-tailgating doors protecting the entrance into high-security areas.  Note that only one person at a time can go through this type of door.
  
  

  

  
  
• Shoulder surfing: Shoulder surfing occurs when the attacker watches another person’s computer screen over that person’s shoulder. Particularly dangerous in public areas such as airports, commuter trains, and on airplanes.
  

  

  
  
  

 4.3  Deliberate Threats to Information Systems

*There are many types of deliberate attacks including:

• Espionage or Trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare

*Espionage or trespass

Espionage or trespass:  Competitive intelligence consists of legal information-gathering techniques. 

Industrial espionage crosses the legal boundary.

*Compromises to intellectual property

Intellectual property: Property created by individuals or corporations which is protected under trade secret, patent, and copyright laws.

Trade secret: Intellectual work, such as a business plan, that is a company secret and is not based on public information.

Patent: Document that grants the holder exclusive rights on an invention or process for 20 years.

Copyright: Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.

*Software attacks

Virus: A virus is a segment of computer code that performs malicious actions by attaching to another computer program.

Worm: A worm is a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.

Trojan horse: A Trojan horse is a software program that hides in other computer programs and reveal its designed behavior only when it is activated.  A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.

Logic Bomb: A logic bomb is a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.

Phishing attacks: Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.

Distributed denial-of-service attacks: In a distributed denial-of-service attack, the attacker first takes over many computers.  These computers are called zombies or bots.  Together, these bots form a botnet.

*Alien Software

Spyware: Spyware collects personal information about users without their consent.  Two types of spyware are keystroke loggers (keyloggers) and screen scrapers.  Keystroke loggers record your keystrokes and your Web browsing history.  Screen scrapers record a continuous “movie” of what you do on a screen.

Spamware: Spamware is alien software that is designed to use your computer as a launchpad for spammers.  Spam is unsolicited e-mail.

Cookies: Cookies are small amounts of information that Web sites store on your computer.

*Supervisory control and data acquisition (SCADA) attacks

A supervisory control and data acquisition (SCADA) system is a large-scale, distributed, measurement and control system.

SCADA systems are the link between the electronic world and the physical world.

4.4 What Organizations Are Doing to Protect Themselves

*Risk Management:-

Risk: the probability that a threat will impact an information resource.

Risk management: to identify, control and minimize the impact of threats.

Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:

(1) Implement controls to prevent identified threats from occurring, and

(2) Developing a means of recovery should the threat become a reality.

*Risk Mitigation Strategies:-

Risk Acceptance:  accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Risk limitation: limit the risk by implementing controls that minimize the impact of threat.

Risk transference: transfer the risk by using other means to compensate for the loss, such as purchasing insurance.

4.5 Information Security Controls

Physical controls: Physical protection of computer facilities and resources.

Access controls: Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.

Communications (network) controls: To protect the movement of data across networks and include border security controls, authentication and authorization.

*Authentication (Access controls):

Authentication - Major objective is proof of identity.

Something the User Is - Also known as biometrics, these access controls examine a user's innate physical characteristics. 

Something the User Has - These access controls include regular ID cards, smart cards, and tokens.

Something the User Does - These access controls include voice and signature recognition.

Something the User Knows - These access controls include passwords and passphrases. A password is a private combination of characters that only the user should know. A passphrase is a series of characters that is longer than a password but can be memorized easily.

*Communications Controls:

Firewalls: System that enforces access-control policy between two networks.

 
Anti-malware systems (also called antivirus software): are software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

Whitelisting: is a process in which a company identifies the software that it will allow to run and does not try to recognize malware.

Blacklisting: is a process in which a company allows all software to run unless it is on the blacklist.

Encryption: Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

*Network Controls:

Virtual private networking: A virtual private network is a private network that uses a public network (usually the Internet) to connect users.

Secure Socket Layer (now transport layer security): Secure socket layer (SSL), now called transport layer security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking.

Employee monitoring systems: Employee monitoring systems monitor employees’ computers,  e-mail activities, and Internet surfing activities.

*Business Continuity Planning, Backup, and Recovery:-

Hot Site: Hot Site is a fully configured computer facility, with all services, communications links, and physical plant operations.

Warm Site: Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs.

Cold Site: Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.

*Information Systems Auditing:-

Information systems auditing: Independent or unbiased observers task to ensure that information systems work properly.

Audit: Examination of information systems, their inputs, outputs and processing.

Types of Auditors and Audits

Internal: Performed by corporate internal auditors.

External: Reviews internal audit as well as the inputs, processing and outputs of information systems.

*IS Auditing Procedure:-

Auditing around the computer:  Auditing around the computer means verifying processing by checking for known outputs or specific inputs.

Auditing through the computer: Auditing through the computer means inputs, outputs and processing are checked.

Auditing with the computer: Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.

CHAPTER 3: Ethics and Privacy

In these post I will highlight the most important point in every section of chapter three

3.1  Ethical Issues

*Ethical Frameworks:

Utilitarian approach: an ethical action is the one that provides the most good or does the least harm.

Rights approach: ethical action is the one that best protects and respects the moral rights of the affected parties.

Fairness approach: ethical actions treat all humans equally, or if unequally, then fairly, based on some defensible standard.

Common good approach: highlights the interlocking relationships that underlie all societies.

*General Framework for Ethics:

• Recognize an ethical issue
• Get the facts
• Evaluate alternative actions
• Make a decision and test it
• Act and reflect on the outcome of your decision

*Ethics in the Corporate Environment

Code of ethics: A Code of Ethics is a collection of principles that are intended to guide decision making by members of an organization.

*Fundamental tenets of ethics:

Responsibility: Responsibility means that you accept the consequences of your decisions and actions.

Accountability: Accountability means a determination of who is responsible for actions that were taken.

Liability: Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems.

*Ethics and Information Technology

Four categories of ethical issues involving IT applications:

Privacy Issues: involve collecting, storing and disseminating information about individuals.

Accuracy Issues: involve the authenticity, fidelity and accuracy of information that is collected and processed.

Property Issues: involve the ownership and value of information.

Accessibility Issues: revolve around who should have access to information and whether they should have to pay for this access.

3.2  Privacy

Privacy: is the right to be left alone and to be free of unreasonable personal intrusions.

*Threats to Privacy:

• Data aggregators, digital dossiers, and profiling
• Electronic Surveillance
• Personal Information in Databases
• Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites

Data Aggregators, Digital Dossiers, and Profiling:-

Data aggregators are companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.

Digital dossier is an electronic description of you and your habits.

Profiling is the process of creating a digital dossier.

Electronic Surveillance:-

Electronic Surveillance: The tracking of people‘s activities, online or offline, with the aid of computers.

The image demonstrates that many people are blissfully unaware that they can be under electronic surveillance while they are using their computers.

Personal Information in Databases:-

Personal Information in Databases: Information about individuals is being kept in many databases: banks, utilities co., govt. agencies, …etc.; the most visible locations are credit-reporting agencies.

Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites:-

Social Networking Sites often include electronic discussions such as chat rooms. These sites appear on the Internet, within corporate intranets, and on blogs.

A blog (Weblog) is an informal, personal journal that is frequently updated and intended for general public reading.

*Protecting Privacy:

Privacy Codes and Policies: An organization’s guidelines with respect to protecting the privacy of customers, clients, and employees.

Opt-out model of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.

Opt-in model of informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it.

International Aspects of Privacy: Privacy issues that international organizations and governments face when information spans countries and jurisdictions

chapter 7: Electronic Commerce: Applications and Issues

In these post I will highlight the most important point in every section of chapter seven

7.1 Overview of E-Business and E-Commerce

*Definitions and Concepts

Electronic commerce (e-commerce, EC) describes the buying, selling, transferring or exchanging of products, services or information via computer networks, including the Internet.

E-business is a broader definition of EC, including buying and selling of goods and services, and also servicing customers, collaborating with partners, conducting e-learning and conducting electronic transactions within an organization.

Pure versus Partial Electronic Commerce depends on the degree of digitization involved.

Brick-and-mortar organizations are purely physical organizations.

Virtual organizations are companies that are engaged only in EC. (Also called pure play)

Click-and-mortar organizations are those that conduct some e-commerce activities, yet their business is primarily done in the physical world. i.e. partial EC.

*Types of E-Commerce

Business-to-consumer (B2C): the sellers are organizations and the buyers are individuals.

Business-to-business (B2B): both the sellers and buyers are business organizations. B2B represents the vast majority of e-commerce.

Consumer-to-consumer (C2C): an individual sells products or services to other individuals.

Business-to-employee (B2E): An organization uses e-commerce internally to provide information and services to its employees. Companies allow employees to manage their benefits, take training classes electronically; buy discounted insurance, travel packages, and event tickets.

E-Government: the use of Internet Technology in general and e-commerce in particular to deliver information about public services to citizens (called Government-to-citizen [G2C EC]), business partners and suppliers (called government-to-business [G2B EC]),

Mobile Commerce (m-commerce) refers to e-commerce that is conducted in a wireless environment. For example, using cell phone to shop over the Internet.

*Major E-Commerce Mechanisms

Auctions: An auction is a competitive process in which either a seller solicits consecutive bids from buyers or a buyer solicits consecutive bids from sellers.

Forward Auctions: Sellers use a forward auction as a channel to many potential buyers.

Reverse Auctions: In reverse auctions, one buyer, usually an organization, wants to buy a product or a service. The buyer posts a request for quotation (RFQ) on its Web site or on a third-party Web site.  The RFQ contains detailed information on the desired purchase. Suppliers study the RFQ and submit bids, and the lowest bid wins the auction.

In general, forward auctions result in higher prices over time, where reverse auctions result in lower prices over time.

*E-Commerce Business Models

Online direct marketing: manufacturers or retailers sell directly to customers.

Electronic tendering system: businesses (or governments) request quotes from suppliers; uses B2B (or G2B) with reverse auctions.  Image above is the Hong Kong Government’s electronic tending system homepage.

Name-your-own-price: customers decide how much they want to pay. Image above is William Shatner, Priceline’s spokesman.

Find-the-best-price: customers specify a need and an intermediary compares providers and shows the lowest price.

Affiliate marketing: Vendors ask partners to place logos or banners on partner’s site. If customers click on logo, go to vendor’s site, and buy, then vendor pays commission to partners.

Viral marketing: receivers send information about your product to their friends.

Group purchasing: small buyers aggregate demand to get a large volume; then the group conducts tendering or negotiates a lower price.

Online auctions: companies run auctions of various types on the Internet.

Product customization: customers use the Internet to self-configure products or services. Sellers then price them and fulfill them quickly.

Deep discounters: company offers deep price discounts.

Membership: only members can use the services provided.

*Benefits of E-Commerce

Benefits to organizations:-

• Makes national and international markets more accessible
• Lowering costs of processing, distributing, and retrieving information

Benefits to customers:-

• Access a vast number of products and services around the clock (24/7/365)

Benefits to Society

• Ability to easily and conveniently deliver information, services and products to people in cities, rural areas and developing countries.

*Limitations of E-Commerce

Technological Limitations:-

• Lack of universally accepted security standards
• Insufficient telecommunications bandwidth
• Expensive accessibility

Non-technological Limitations:-

• Perception that EC is unsecured
• Unresolved legal issues
• Lacks a critical mass of sellers and buyers

7.2 Business-to-Consumer (B2C) Electronic Commerce

Electronic storefronts: An electronic storefront is a Web site that represents a single store.    

Electronic malls: Electronic malls are collections of individual shops under a single Internet address.

*Online Advertising

Advertising is an attempt to disseminate information in order to influence a buyer-seller transaction.

Online Advertising methods:-

Banners are simply electronic billboards.

Pop-up ad appears in front of the current browser window.

Pop-under ad appears underneath the active window.

Permission marketing asks consumers to give their permission to voluntarily accept online advertising and e-mail.

Viral marketing refers to online “word-of-mouth” marketing.

Eight Types of Web sites for Advertising:

• Portals: most popular; best for reach but not targeting
• Search: second largest reach; high advertising value
• Commerce: high reach; not conducive to advertising
• Entertainment: large reach; strong target ability
• Community: emphasize being a part of something; good for specific advertising
• Communications: not good for branding; low target ability
• News/weather/sports: poor target ability
• Games: good for very specific types of advertising

7.3 Business-to-Business (B2B) Electronic Commerce

In B2B e-commerce, the buyers and sellers are organizations.

B2B Sell-Side Marketplace: In the sell-side marketplace, organizations sell their products or services to other organizations electronically from their own Web site and/or from a third-party Web site. This model is similar to the B2C model in which the buyer comes to the seller’s site, views catalogs, and places an order.  In the B2B sell-side marketplace, the buyers are organizations.

B2B Buy-Side Marketplace: In the sell-side marketplace, organizations sell their products or services to other organizations electronically from their own Web site and/or from a third-party Web site. This model is similar to the B2C model in which the buyer comes to the seller’s site, views catalogs, and places an order.  In the B2B sell-side marketplace, the buyers are organizations.

*Electronic Exchanges

Vertical Exchanges: Vertical exchanges connect buyers and sellers in a given industry.

Horizontal Exchanges: Horizontal exchanges connect buyers and sellers across many industries and are used mainly for MRO materials.

Functional Exchanges: In functional exchanges, needed services such as temporary help or extra office space are traded on an “as-needed” basis.

7.4 Electronic Payments

Electronic payment systems enable you to pay for goods and services electronically.

Checks (e-checks) are similar to paper checks and are used mostly in B2B.

Electronic credit cards allow customers to charge online payments to their credit card account.

Purchasing cards are the B2B equivalent of electronic credit cards and are typically used for unplanned B2B purchases.

Electronic cash:

• Stored-value money cards allow you to store a fixed amount of prepaid money and then spend it as necessary.
• Smart cards contain a chip called a microprocessor that can store a considerable amount of information and are multipurpose – can be used as a debit card, credit card or a stored-value money card.
• Person-to-person payments are a form of e-cash that enables two individuals or an individual and a business to transfer funds without using a credit card.

7.5 Ethical and Legal Issues

*Ethical Issues

Privacy: ecommerce provides opportunities for businesses and employers to track individual activities on the WWW using cookies or special spyware. This allows private/personal information to be tracked, compiled, and stored as an individual profile. This profile can be used or sold to other businesses for target marketing or by employees to aide in personnel management decisions (i.e., promotions, raises, layoffs).

Job Loss

*Legal Issues Specific to E-Commerce

Fraud on the Internet: i.e. stocks, investments, business opportunities, auctions.

Domain Names: problems with competition.

Cybersquatting: refers to the practice of registering domain names solely for the purpose of selling them later at a higher price.

Domain Tasting: is a practice of registrants using the five-day "grace period" at the beginning of a 

domain registration to profit from pay-per-click advertising.

Taxes and other Fees: when and where (and in some cases whether) electronic sellers should pay 

business license taxes, franchise fees, gross-receipts taxes, excise taxes, …etc.

Copyright: protecting intellectual property in e-commerce and enforcing copyright laws is extremely difficult.