Nội dung

Chapter 8 Securing Information Systems LEARNING OBJECTIVES CHAPTER OUTLINE After reading this chapter, you will be able to answer the following questions: 8.1 SYSTEM VULNERABILITY AND ABUSE Why Systems Are Vulnerable Malicious Software: Viruses, Worms, Trojan Horses, and Spyware Hackers and Computer Crime Internal Threats: Employees Software Vulnerability 8.2 BUSINESS VALUE OF SECURITY AND CONTROL Legal and Regulatory Requirements for Electronic Records Management Electronic Evidence and Computer Forensics 8.3 ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL Information Systems Controls Risk Assessment Security Policy Disaster Recovery Planning and Business Continuity Planning The Role of Auditing 8.4 TECHNOLOGIES AND TOOLS FOR PROTECTING INFORMATION RESOURCES Identity Management and Authentication Firewalls, Intrusion Detection Systems, and Antivirus Software Securing Wireless Networks Encryption and Public Key Infrastructure Ensuring System Availability Security Issues for Cloud Computing and the Mobile Digital Platform 1. Why are information systems vulnerable to destruction, error, and abuse? 2. What is the business value of security and control? 3. What are the components of an organizational framework for security and control? 4. What are the most important tools and technologies for safeguarding information resources? Ensuring Software Quality Interactive Sessions: Stuxnet and the Changing Face of Cyberwarfare MWEB Business: Hacked LEARNING TRACK MODULES The Booming Job Market in IT Security The Sarbanes-Oxley Act Computer Forensics General and Application Controls for Information Systems Management Challenges of Security and Control Software Vulnerability and Reliability YOU’RE ON LINKEDIN? WATCH OUT! L inkedIn is one of the most prominent social networking sites on the Web. LinkedIn has over 160 million members, mostly career minded white-collar workers more interested in networking than being social. Users maintain online resumes, establish links with their colleagues and business contacts, and search for experts with answers to their daily business problems. People looking for jobs or to advance their careers take this service very seriously. By any measure, LinkedIn has been one of the top tech success stories in the last decade. The company is now valued at over $12 billion. In June 2012, however, the company suffered a staggering data breach that exposed the passwords of millions of LinkedIn users. Hackers breached LinkedIn’s security and stole 6.5 million user passwords, then posted the passwords publicly on a Russian hacking forum. In the aftermath of the breach, LinkedIn users and security experts alike were stunned that a company whose primary function is to collect and manage customer data had done so little to safeguard it. LinkedIn had woefully inadequate computer security, especially for a highly successful tech company with healthy cash reserves, a strong bottom line, and talented employees. Security experts criticized LinkedIn for not having a chief security officer whose primary job is to guard against security breaches. But even more surprisingly, LinkedIn was found to have minimal password protection via encryption and did not employ several standard encryption techniques used to protect passwords. Most companies will use a technique known as “salting,” which adds a series of random digits to the end of hashed passwords to make them more difficult to crack. Salting can be performed at little to no cost with just a few additional lines of code. Most companies use complicated cryptographic functions to salt passwords, but, incredibly LinkedIn had not salted its users’ passwords at all, the security equivalent of leaving one’s valuables unattended in a crowded area. Most companies store hashed passwords on separate, secure Web servers to make it more difficult for hackers to break in. The total cost for a company like LinkedIn to set up robust password, Web server, and application security would be in the low six figures, but the average data breach costs companies $5.5 million, according to a Symantec-sponsored study by the Ponemon Institute. LinkedIn's losses might end up being even higher than that, which makes their near total disregard for data security even more surprising. Some security experts believe that the lack of liability for companies like LinkedIn is a major reason for their lax security policies. Unlike other industries, where basic consumer protections are overseen and protected, computer security and social network data security are not regulated and are poorly protected by many companies. Additionally, with social networks, people tend not to leave a service because of a data breach. For example, in the wake of the breach, many users wanted to leave LinkedIn, but opted not to because it is the most prominent social network for business networking. © Rafal Olechowski/Shutterstock 323 324 Part Two Information Technology Infrastructure Immediately after the password theft, LinkedIn quickly assured its customers that their data were secure. The company disabled the 6.5 million published passwords and announced that it had begun an initiative to salt passwords to increase security. Nevertheless, LinkedIn now faces a $5 million class-action lawsuit that asserts that LinkedIn failed to follow even the minimal industry-standard practices for data protection, specifically more recent forms of salting hashed passwords. Security experts noted that LinkedIn’s security procedures would have been state of the art several years ago, but that they had done little to keep up with and protect themselves from the surge in data breaches in the last year or two. LinkedIn must not only update their security to today’s standards, but must also adopt the mindset that protecting consumer data is an ongoing effort, not a one-time fix. Sources: LinkedIn Faces $5 Million Lawsuit After Password Breach,” CIO Insight, June 22, 2012; “LinkedIn Defends Reaction in Wake of Password Theft,” The Wall Street Journal, June 10, 2012; “Lax Security at LinkedIn Is Laid Bare,” The New York Times, June 10, 2012; “Why ID Thieves Love Social Media,” Marketwatch, March 25, 2012. T he problems created by the theft of 6.5 million passwords at LinkedIn illustrate some of the reasons why businesses need to pay special attention to information system security. LinkedIn provides important benefits to both individuals and businesses. But from a security standpoint, LinkedIn did not sufficiently protect its Web site from hackers, who were able to steal sensitive user information. The chapter-opening diagram calls attention to important points raised by this case and this chapter. Although LinkedIn’s management has some security technology and procedures in place, it has not done enough to protect its user data. It failed to use standard password encryption techniques, including “salting,” to protect user passwords. The “social” nature of this site and large number of users make it unusually attractive for criminals and hackers intent on stealing valuable personal and financial information and propagating malicious software. Given LinkedIn’s large user base and the social nature of the site, management did not do enough to protect LinkedIn’s data. LinkedIn’s loyal user base prevented the fallout from the breach from being much greater, and most people decided they needed to stay with the site because it was so valuable for their careers. Nevertheless, the company faces a multimillion-dollar class action suit as well as reputational damage. For all companies the lesson is clear: difficulties of eradicating malicious software or repairing damage caused by identity theft add to operational costs and make both individuals and businesses less effective. Here are some questions to think about: What management, organization, and technology factors contributed to the LinkedIn data breach? What was the business impact of the data breach? Chapter 8 Securing Information Systems 8.1 SYSTEM VULNERABILITY AND ABUSE C an you imagine what would happen if you tried to link to the Internet without a firewall or antivirus software? Your computer would be disabled in a few seconds, and it might take you many days to recover. If you used the computer to run your business, you might not be able to sell to your customers or place orders with your suppliers while it was down. And you might find that your computer system had been penetrated by outsiders, who perhaps stole or destroyed valuable data, including confidential payment data from your customers. If too much data were destroyed or divulged, your business might never be able to operate! In short, if you operate a business today, you need to make security and control a top priority. Security refers to the policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Controls are methods, policies, and organizational procedures that ensure the safety of the organization’s assets, the accuracy and reliability of its records, and operational adherence to management standards. WHY SYSTEMS ARE VULNERABLE When large amounts of data are stored in electronic form, they are vulnerable to many more kinds of threats than when they existed in manual form. Through communications networks, information systems in different locations are interconnected. The potential for unauthorized access, abuse, or fraud is not limited to a single location but can occur at any access point in the network. Figure 8.1 illustrates the most common threats against contemporary information systems. They can stem from technical, organizational, and environmental factors compounded by poor management decisions. In the multi-tier client/ server computing environment illustrated here, vulnerabilities exist at each layer and in the communications between the layers. Users at the client FIGURE 8.1 CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network. 325 326 Part Two Information Technology Infrastructure layer can cause harm by introducing errors or by accessing systems without authorization. It is possible to access data flowing over networks, steal valuable data during transmission, or alter messages without authorization. Radiation may disrupt a network at various points as well. Intruders can launch denialof-service attacks or malicious software to disrupt the operation of Web sites. Those capable of penetrating corporate systems can destroy or alter corporate data stored in databases or files. Systems malfunction if computer hardware breaks down, is not configured properly, or is damaged by improper use or criminal acts. Errors in programming, improper installation, or unauthorized changes cause computer software to fail. Power failures, floods, fires, or other natural disasters can also disrupt computer systems. Domestic or offshore partnering with another company adds to system vulnerability if valuable information resides on networks and computers outside the organization’s control. Without strong safeguards, valuable data could be lost, destroyed, or could fall into the wrong hands, revealing important trade secrets or information that violates personal privacy. The popularity of handheld mobile devices for business computing adds to these woes. Portability makes cell phones, smartphones, and tablet computers easy to lose or steal. Smartphones share the same security weaknesses as other Internet devices, and are vulnerable to malicious software and penetration from outsiders. Smartphones used by corporate employees often contain sensitive data such as sales figures, customer names, phone numbers, and e-mail addresses. Intruders may be able to access internal corporate systems through these devices. Internet Vulnerabilities Large public networks, such as the Internet, are more vulnerable than internal networks because they are virtually open to anyone. The Internet is so huge that when abuses do occur, they can have an enormously widespread impact. When the Internet becomes part of the corporate network, the organization’s information systems are even more vulnerable to actions from outsiders. Computers that are constantly connected to the Internet by cable modems or digital subscriber line (DSL) lines are more open to penetration by outsiders because they use fixed Internet addresses where they can be easily identified. (With dial-up service, a temporary Internet address is assigned for each session.) A fixed Internet address creates a fixed target for hackers. Telephone service based on Internet technology (see Chapter 7) is more vulnerable than the switched voice network if it does not run over a secure private network. Most Voice over IP (VoIP) traffic over the public Internet is not encrypted, so anyone with a network can listen in on conversations. Hackers can intercept conversations or shut down voice service by flooding servers supporting VoIP with bogus traffic. Vulnerability has also increased from widespread use of e-mail, instant messaging (IM), and peer-to-peer file-sharing programs. E-mail may contain attachments that serve as springboards for malicious software or unauthorized access to internal corporate systems. Employees may use e-mail messages to transmit valuable trade secrets, financial data, or confidential customer information to unauthorized recipients. Popular IM applications for consumers do not use a secure layer for text messages, so they can be intercepted and read by outsiders during transmission over the public Internet. Instant messaging activity over the Internet can in some cases be used as a back door to an otherwise secure network. Sharing files over peer-to-peer (P2P) networks, such as Chapter 8 Securing Information Systems those for illegal music sharing, may also transmit malicious software or expose information on either individual or corporate computers to outsiders. Wireless Security Challenges Is it safe to log onto a wireless network at an airport, library, or other public location? It depends on how vigilant you are. Even the wireless network in your home is vulnerable because radio frequency bands are easy to scan. Both Bluetooth and Wi-Fi networks are susceptible to hacking by eavesdroppers. Local area networks (LANs) using the 802.11 standard can be easily penetrated by outsiders armed with laptops, wireless cards, external antennae, and hacking software. Hackers use these tools to detect unprotected networks, monitor network traffic, and, in some cases, gain access to the Internet or to corporate networks. Wi-Fi transmission technology was designed to make it easy for stations to find and hear one another. The service set identifiers (SSIDs) that identify the access points in a Wi-Fi network are broadcast multiple times and can be picked up fairly easily by intruders’ sniffer programs (see Figure 8.2). Wireless networks in many locations do not have basic protections against war driving, in which eavesdroppers drive by buildings or park outside and try to intercept wireless network traffic. An intruder that has associated with an access point by using the correct SSID is capable of accessing other resources on the network. For example, the intruder could use the Windows operating system to determine which other users are connected to the network, access their computer hard drives, and open or copy their files. FIGURE 8.2 WI-FI SECURITY CHALLENGES Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. 327 328 Part Two Information Technology Infrastructure Intruders also use the information they have gleaned to set up rogue access points on a different radio channel in physical locations close to users to force a user’s radio network interface controller (NIC) to associate with the rogue access point. Once this association occurs, hackers using the rogue access point can capture the names and passwords of unsuspecting users. MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN HORSES, AND SPYWARE Malicious software programs are referred to as malware and include a variety of threats, such as computer viruses, worms, and Trojan horses. A computer virus is a rogue software program that attaches itself to other software programs or data files in order to be executed, usually without user knowledge or permission. Most computer viruses deliver a “payload.” The payload may be relatively benign, such as instructions to display a message or image, or it may be highly destructive—destroying programs or data, clogging computer memory, reformatting a computer’s hard drive, or causing programs to run improperly. Viruses typically spread from computer to computer when humans take an action, such as sending an e-mail attachment or copying an infected file. Most recent attacks have come from worms, which are independent computer programs that copy themselves from one computer to other computers over a network. Unlike viruses, worms can operate on their own without attaching to other computer program files and rely less on human behavior in order to spread from computer to computer. This explains why computer worms spread much more rapidly than computer viruses. Worms destroy data and programs as well as disrupt or even halt the operation of computer networks. Worms and viruses are often spread over the Internet from files of downloaded software, from files attached to e-mail transmissions, or from compromised e-mail messages, online ads, or instant messaging. Viruses have also invaded computerized information systems from “infected” disks or infected machines. Especially prevalent today are drive-by downloads, consisting of malware that comes with a downloaded file that a user intentionally or unintentionally requests. Hackers can do to a smartphone just about anything they can do to any Internet device: request malicious files without user intervention, delete files, transmit files, install programs running in the background to monitor user actions, and potentially convert the smartphone into a robot in a botnet to send e-mail and text messages to anyone. With smartphones starting to outsell PCs, and smartphones increasingly used as payment devices, they are becoming a major avenue for malware. Malware targeting mobile devices is not yet as extensive as that targeting larger computers, but nonetheless is spreading using e-mail, text messages, Bluetooth, and file downloads from the Web via Wi-Fi or cellular networks. The security firm McAfee found nearly 13,000 different kinds of malware targeting mobile devices in 2012 compared to less than 2,000 in 2011, with almost all attacks targeting devices using Google’s Android operating system. (Graziano, 2012). Mobile device viruses pose serious threats to enterprise computing because so many wireless devices are now linked to corporate information systems. Chapter 8 Securing Information Systems Blogs, wikis, and social networking sites such as Facebook have emerged as new conduits for malware or spyware. These applications allow users to post software code as part of the permissible content, and such code can be launched automatically as soon as a Web page is viewed. On July 4, 2011, hackers broke into the “Fox News Politics” Twitter account, sending fake messages about President Barack Obama. The hackers changed the account's password, preventing Fox from correcting the messages for hours (Sherr, 2011). Internet security firm Symantec reported in 2012 that it had detected 403 million new and unique threats from malicious software in 2011, up from 286 million in 2010. Symantec observed that the amount of harmful software in the world passed the amount of beneficial software in 2007, and as many as one of every 10 downloads from the Web includes harmful programs (Drew and Kopytoff, 2011). According to Symantec, 36 percent of malware today is being targeted at small businesses, because it is more difficult for such companies to protect themselves against so many different types of attacks (Symantec, 2012). Table 8.1 describes the characteristics of some of the most harmful worms and viruses that have appeared to date. A Trojan horse is a software program that appears to be benign but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate, but it is often a way for viruses or other malicious code to be introduced into a computer system. The term Trojan horse is based on the huge TABLE 8.1 EXAMPLES OF MALICIOUS CODE NAME TYPE DESCRIPTION Conficker (aka Downadup, Downup) Worm First detected in November 2008 and still prevalent. Uses flaws in Windows software to take over machines and link them into a virtual computer that can be commanded remotely. Had more than 5 million computers worldwide under its control. Difficult to eradicate. Storm Worm/ Trojan horse First identified in January 2007. Spreads via e-mail spam with a fake attachment. Infected up to 10 million computers, causing them to join its zombie network of computers engaged in criminal activity. Sasser.ftp Worm First appeared in May 2004. Spread over the Internet by attacking random IP addresses. Causes computers to continually crash and reboot, and infected computers to search for more victims. Affected millions of computers worldwide, disrupting British Airways flight check-ins, operations of British coast guard stations, Hong Kong hospitals, Taiwan post office branches, and Australia’s Westpac Bank. Sasser and its variants caused an estimated $14.8 billion to $18.6 billion in damages worldwide. MyDoom.A Worm First appeared on January 26, 2004. Spreads as an e-mail attachment. Sends e-mail to addresses harvested from infected machines, forging the sender’s address. At its peak, this worm lowered global Internet performance by 10 percent and Web page loading times by as much as 50 percent. Was programmed to stop spreading after February 12, 2004. Sobig.F Worm First detected on August 19, 2003. Spreads via e-mail attachments and sends massive amounts of mail with forged sender information. Deactivated itself on September 10, 2003, after infecting more than 1 million PCs and doing $5 to $10 billion in damage. ILOVEYOU Virus First detected on May 3, 2000. Script virus written in Visual Basic script and transmitted as an attachment to e-mail with the subject line ILOVEYOU. Overwrites music, image, and other files with a copy of itself and did an estimated $10 billion to $15 billion in damage. Melissa Macro virus/ worm First appeared in March 1999. Word macro script mailing infected Word file to first 50 entries in user’s Microsoft Outlook address book. Infected 15 to 29 percent of all business PCs, causing $300 million to $600 million in damage. 329 330 Part Two Information Technology Infrastructure wooden horse used by the Greeks to trick the Trojans into opening the gates to their fortified city during the Trojan War. Once inside the city walls, Greek soldiers hidden in the horse revealed themselves and captured the city. An example of a modern-day Trojan horse is the MMarketPay.A Trojan for Android phones. This Trojan is hidden in several apps that appear to be legitimate, including travel and weather apps. It places orders for applications and movies automatically without the user’s permission, potentially causing users to be hit with unexpectedly high phone bills. MMarketPay.A has been detected in multiple app stores and has spread to more than 100,000 devices. SQL injection attacks have become a major malware threat. SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company’s systems and networks. These vulnerabilities occur when a Web application fails to properly validate or filter data entered by a user on a Web page, which might occur when ordering something online. An attacker uses this input validation error to send a rogue SQL query to the underlying database to access the database, plant malicious code, or access other systems on the network. Large Web applications have hundreds of places for inputting user data, each of which creates an opportunity for an SQL injection attack. A large number of Web-facing applications are believed to have SQL injection vulnerabilities, and tools are available for hackers to check Web applications for these vulnerabilities. Such tools are able to locate a data entry field on a Web page form, enter data into it, and check the response to see if shows vulnerability to a SQL injection. Some types of spyware also act as malicious software. These small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising. Thousands of forms of spyware have been documented. Many users find such spyware annoying, and some critics worry about its infringement on computer users’ privacy. Some forms of spyware are especially nefarious. Keyloggers record every keystroke made on a computer to steal serial numbers for software, to launch Internet attacks, to gain access to e-mail accounts, to obtain passwords to protected computer systems, or to pick up personal information such as credit card numbers. For example, the Zeus Trojan stole financial and personal data from online banking and social networking sites by surreptitiously tracking users' keystrokes as they entered data into their computers. Other spyware programs reset Web browser home pages, redirect search requests, or slow performance by taking up too much memory. HACKERS AND COMPUTER CRIME A hacker is an individual who intends to gain unauthorized access to a computer system. Within the hacking community, the term cracker is typically used to denote a hacker with criminal intent, although in the public press, the terms hacker and cracker are used interchangeably. Hackers and crackers gain unauthorized access by finding weaknesses in the security protections employed by Web sites and computer systems, often taking advantage of various features of the Internet that make it an open system and easy to use. Hacker activities have broadened beyond mere system intrusion to include theft of goods and information, as well as system damage and cybervandalism, the intentional disruption, defacement, or even destruction of a Web site or corporate information system. For example, cybervandals have turned many Chapter 8 Securing Information Systems of the MySpace “group” sites, which are dedicated to interests such as home beer brewing or animal welfare, into cyber-graffiti walls, filled with offensive comments and photographs. S p o o fi n g a n d S n i f fi n g Hackers attempting to hide their true identities often spoof, or misrepresent, themselves by using fake e-mail addresses or masquerading as someone else. Spoofing also may involve redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. For example, if hackers redirect customers to a fake Web site that looks almost exactly like the true site, they can then collect and process orders, effectively stealing business as well as sensitive customer information from the true site. We provide more detail on other forms of spoofing in our discussion of computer crime. A sniffer is a type of eavesdropping program that monitors information traveling over a network. When used legitimately, sniffers help identify potential network trouble spots or criminal activity on networks, but when used for criminal purposes, they can be damaging and very difficult to detect. Sniffers enable hackers to steal proprietary information from anywhere on a network, including e-mail messages, company files, and confidential reports. Denial-of-Service Attacks In a denial-of-service (DoS) attack, hackers flood a network server or Web server with many thousands of false communications or requests for services to crash the network. The network receives so many queries that it cannot keep up with them and is thus unavailable to service legitimate requests. A distributed denial-of-service (DDoS) attack uses numerous computers to inundate and overwhelm the network from numerous launch points. For example, hours after the U.S. Department of Justice shut down file-sharing site Megaupload on January 19 2012, the Anonymous hacker collective launched extensive retaliatory DDoS attacks against federal and entertainment industry Web sites. Web sites belonging to the FBI, U.S. Department of Justice, U.S. Copyright Office, Universal Music, the Recording Industry Association of America, and the Motion Picture Association of America, were knocked offline for a large part of the day. Although DoS attacks do not destroy information or access restricted areas of a company’s information systems, they often cause a Web site to shut down, making it impossible for legitimate users to access the site. For busy e-commerce sites, these attacks are costly; while the site is shut down, customers cannot make purchases. Especially vulnerable are small and midsize businesses whose networks tend to be less protected than those of large corporations. Perpetrators of DDoS attacks often use thousands of “zombie” PCs infected with malicious software without their owners’ knowledge and organized into a botnet. Hackers create these botnets by infecting other people’s computers with bot malware that opens a back door through which an attacker can give instructions. The infected computer then becomes a slave, or zombie, serving a master computer belonging to someone else. Once hackers infect enough computers, they can use the amassed resources of the botnet to launch DDos attacks, phishing campaigns, or unsolicited “spam” e-mail. Ninety percent of the world's spam and 80 percent of the world's malware are delivered via botnets. For example, the Grum botnet, once the world's third-largest botnet, was reportedly responsible for 18% of worldwide spam traffic (amounting to 18 billion spam messages per day) when it was shut down on July 19, 2012. At one point Grum had infected and controlled 560,000–840,000 computers. 331