Chapter 6: Information System Security

Learning objective
Security Issues of Organization
Computer Crimes:
 Information System Controls

1
 6.1 Information System Security
• SECURITY ISSUES:
• Security may be defined as the protection of both physical and
conceptual resources from natural and human hazards.
• Security refers to the protection of hardware, software, data,
procedure and people resources against alteration, destruction
or unauthorized use with the rise of communications networks

• The manager exercises control over the system to ensure that

performs intended. The manager therefore functions as the central
element of the system.

• If system performance is to be maintained, then the system must

be kept secure from disruptive influences.

2
• A summary of the major security threats in CBIS (Computer based
information systems) is shown below.
• Hardware: Failure of protection mechanisms, Contribution to software
failure.
• Software: Failure of protection mechanisms, Information leakage.
• People:
• Terminal user
– Fraudulent identification,
– Illegal leakage of authorized information,
– Software piracy
• System programmers
– Bypassing security mechanisms
– Installing insecure system
• Operator
– Duplication of confidential reports
– Insecure system initialization
– Confidential material theft

3
• Terminal / work station
– Located in insecure environment
– Terminal connected to Earth station at remote site
– Lack of encryption
 
• Database
– Unauthorized access
– Copying

• External environment
– Natural disaster
– Malicious attacks
– Unauthorized access
– Computer censor
– Hackers
– Computer uses from external networks
– Radiation

4
6.2 Computer Crimes:
• Computer crime is the use of computer resources to engage in
unauthorized or illegal acts. Numerous types of computer crimes exist.
• Types of Computer Crimes:
• Data diddling (performing unauthorized modifications to data).
• The Trojan horse technique (merging criminal code with authorized
programs).
• The Salami technique (sharing small amount of money from client
balances).
• Unauthorized use of super zap programs (following the person to bypass
regular system controls).
• Logic Bombs (routines that cause a system to become inoperative or to
malfunction).
• Hacking (breaking into a computer system just for the challenge of doing
so).
• Software piracy (unauthorized copying or using of programs).

5
 Threats

Human Errors Environmental Computer Crimes

Hazards

Eg: Design of hardware Computer abuse

Earth quakes
OR information system
Computer crime
During programming Server storms
testing, involves illegal
Floods
data collection, computer abuse,
Power failures
prosecutable under
Data entry, Fires any computer crime
Authorization and Defective air conditioning laws
instructions. Water cooling system failures

Smoke heat and water

6
 Attacks on Computer Systems

Methods of attacks

Data tampering Programming

Techniques
(Data diddling)

- Trojan horse
- Salami slicing
- Trap door
- Logic bomb
- Virus

7
Data Diddling:
• It involves performing unauthorized
modifications to data stored within the
computer system.
• Example:
• An employee in an organization used his
privileged access to falsify his academic record.
• Another common data diddling crime is when a
clerk changes the destination address of
shipment of goods, diverting them to
accomplices.
8
• The Trojan Horse Technique:
• The name Trojan horse in Greek mythology
represents a large wooden horse left by the Greeks
upon their pretended retreat of the siege of Troy.
• In the night, Greek soldiers hidden within the
horse opened the gates to the Greek army, which
conquered the city.
• In today’s electronic age similar to the above
example is a block of computer code, hidden
within an authorized program, that performs
unauthorized acts such as transferring money to a
criminals bank account.
9
• Salami Slicing:
• This technique works on the assumption that, if
small quantities of money are shaved from a lot of
balances that are not closely checked, and these
shavings are combined in a central account which
would swell to a large amount over time.
• The finance sector is particularly vulnerable to the
shaver. Interest posted to the bank or security
accounts is often not checked by its owners down to
the nearest paise (cents) hence criminal with access
to an interest payment program could divert into his
account all hundredths of paise (cents) in interest
that should be credited to the real owner’s accounts.
10
• Trapdoor Routines:
• These are routines used in program
development to allow developers access to
various parts of the computer system in order
to see that the program is performing correctly.
• Trapdoor is supposed to be removed before the
program is put into general use.
• In one of the case, criminals accessed
passwords through a trapdoor that was not
removed, and later used the passwords to
break into the system.
11
• Logic Bombs:
• It is a routine that causes parts of the computer
system to become inoperative or to malfunction as
soon as the routine is executed.
• Such malfunction logic bombs are written by
irritated programmers who are, often, on the verge
of being forced to erase key files or programs or to
cause programs to halt or process data incorrectly.
• Some of the software vendors may purposely
incorporate logic bombs into programs usually to
disable a software package after a certain time
period.

12
• Computer Viruses – How it spreads?
• A virus starts when someone writes a program that
embeds itself in a host program.
• The virus attaches itself to the host program or data
and travels anywhere that the host program or piece
of data travels.
• Transmission can occur on outside disks, over data
communications networks, or through electronic
bulletin boards.
• If undetected by virus scanning and eradication
software, the virus is set off by either a time limit or
some set or circumstances possibly a simple sequence
of computer operations by the user.
13
• Just as a biological virus caused disease by disrupting
the normal operations of living cells in an organism, a
computer virus invades the inner working of
computers and disrupts normal operations.
• The term computer virus is used to describe a logic
bomb at which a piece of unauthorized code acts a
parasite that attaches itself to a host program during a
copy operation.
• Computer virus reproduce and spread; copy
commands are embedded in the virus code to make it
reproduce and transmit commands may be inserted to
spread the virus from one computer to others on its
network.
14
Virus problems:
• Virus infections give raise to the following
problems:
 Loss of productivity
 Screen messages and lockup
 Unreliable applications
 Loss of user confidence
 Corrupted files
 Lost data
 System crashes

15
Computer Crime Prevention:
• Various methods used to prevent computer crimes are:
1) Hiring carefully (Hire trustworthy people).
2) Monitoring malcontents.
3) Separating employee functions (harder to commit when people have
to collaborate makers, checkers and signers should be different).
4) Protecting resources with passwords or access cards.
5) Disguising data or programs in coded form through encryption
(encryption is the process of disguising data in a coded from to
prevent recognition).
6) Monitoring system transactions (through performance monitor
programs).
7) Conducting frequent audits.
8) Educating people in security measures (to know about important
security issues).
9) Consideration of ethics (Standards of moral conduct).
16
6.3 Information System Controls
• Information system controls are designed to
monitor and maintain the quality and security
of the following activities of an information
system.
Input
Processing
Output
Storage

17
 Information System Controls

Input Processing Output

Controls Controls
•Encryption - Software
•Data Entry Screens- Hardware
•Error Signals - Firewalls
•Control totals - Check points
Controls
Encryption
Backup files
Library procedures
Storage
Database administration

18
1) Input Controls:
• Here controls are needed for proper entry of data into an IS
• Ex:
– Passwords
– Security codes
– Formatted data entry screens
– Audible error signals
– Template etc.
2) Processing Controls:
• After entering the data correctly into a computer, it is to be
processed properly. Here controls are developed to identify
errors in
– Arithmetic calculations
– Logical operations
– To ensure data are not lost or unprocessed
19
2) Processing Controls

Hardware Controls

Special checks built into hardware to verify the accuracy of computer processing:

Processing
Malfunction detection circuitry (within computer or telecommunication process)
Controls Redundant components (Multiple read write heads on magnetic tape and disk)
Special purpose micro-processors and associated circuitory
To support remote and diagnostics and maintenance

Software Controls

Ensure that the right data are being processed. Eg: the operating system or other
software checks the internal file labels at the beginning and end of magnetic disk
and tape files.
Establishment of check points during the processing of a program (check points are
immediate points within a program being processed where intermediate totals l
istings etc. are written on a magnetic tape or disk or listed on a printer).

20
3) Output Controls:
• These are developed to ensure that information
products are correct and complete and are available to
authorized users in a timely manner.
• Most output controls are similar to input control
methods e.g. control totals on output are compared
with control totals generated during the input and
processing stages.
• Online output access of computer networks is typically
controlled by security codes.
• This identifies which users can receive output and also
the type of output they are authorized to receive.
21
 4) Storage Controls
• To use individual file, a unique file name must be
entered. A password to read the contents of the file is
different from that required to write to a file (change
its contents).
• This feature is a protection. Passwords can also be
scrambled or encrypted to avoid their theft or
improper use.
• Smart cards, which contain microprocessors that
generate random numbers to add to an end user’s
password is used in some secure systems.
23
• Some firms may use backup files, which are
duplicate files of data or programs, stored off
premises. Many real-time processing systems
use duplicate files which are updated by
network links.
• Files are also protected by file retention
measures that involve strong copies of master
files and transaction files from previous
periods.

24
Thank you so much for!

25