Faculty of Computing and Informatics

Business Management Information Systems –

BMC511S
Lesson 4 – Securing information Systems, Ethical & Social issues in
Information Systems
03 May 2021
 Faculty of Computing and Informatics

Security of information systems

1. An introduction to the security of information systems

2. Areas of vulnerabilities in information systems
3. Hackers and computer crime
4. Information systems controls
5. Tools and technologies for safeguarding information
resources
6. The business value of security and control in IS
 Faculty of Computing and Informatics

An introduction to the security of information systems

• Security – the policies, procedures and technical measures used to
prevent unauthorized access, alteration, theft or physical damage to
information systems

• Controls are the methods, policies and organisational procedures that

ensure the safety of an organisation’s assets, the accuracy and
reliability of its records and operational adherence to management
standards
 Faculty of Computing and Informatics

Areas of vulnerabilities in IS – malicious software

• Malware – Malicious software programs, e.g. computer viruses, worms,
Trojan horses
• Computer virus – rogue software that attaches itself to other software
programs or data files in order to be executed, e.g. display message, destroy
data, clog computer
• Worms – computer programs that copy themselves from one computer to
other computers over the network. They don’t attack other programs, but
destroy data and programs to halt operations
• Trojan horse – software program that does not replicate like the virus but
opens the way for malicious code to be introduced e.g. steal login details
 Faculty of Computing and Informatics

Other areas of vulnerabilities in information systems

• Internet vulnerability – Hackers can intercept conversations, flood servers with bogus
traffic
• Wireless security challenges – e.g. radio frequency bands are easy to scan; hackers
use tools to detect and monitor unprotected networks
• SQL injection attacks – take advantage of vulnerabilities in poorly-coded web
application software to introduce malicious programs
• Ransomware – takes control of computers and users have to pay to regain access
• Spyware – software installs themselves on computers to monitor web surfing activity
• Keyloggers – records every keystroke made on a computer to steal passwords,
personal information, etc
 Faculty of Computing and Informatics

Hackers and computer crime

• A hacker is an individual who intends to gain unauthorized access to a computer
system by finding weaknesses in the security of the system
• Spoofing: Hackers hide their true identity by using fake email addresses or
masquerading as someone else, e.g. direct customers to fake web sites
• Sniffer: a type of eavesdropping program that monitors information travelling over a
network.
• Denial-of-service-attacks: hackers flood a server with requests for services/email that
crash the network
• Computer crime – any violations of criminal law that involve a knowledge of
computer technology for perpetration, investigation or prosecution
 Faculty of Computing and Informatics

Hackers and computer crime

• Identity theft: an impostor obtains key pieces of personal information such as ID,
driver’s license, credit card details
• Phishing: a form of spoofing involving setting up websites or sending email messages
that look like those of legitimate businesses to ask users for confidential personal
data
• Evil twins: wireless networks that pretend to offer trustworthy WiFi connections to
the internet, e.g. in airport lounges or hotels to capture passwords
• Pharming: redirects users to a bogus web page, even when the individual types the
correct web age address into their web browser
 Faculty of Computing and Informatics

Hackers and computer crime

• Click fraud: when you click on an ad on a search engine, the click directs the
potential buyers to a company website. The company then pays the search
engine for the service. When the click occurs and the customer is not
directed to the company’s website, then the company pays the search engine
for nothing
• Cyber warfare: is a state-sponsored activity designed to cripple another state
or nation by penetrating its computers or networks for the purpose of
causing damage and disruption
• Internal threats from employees: employees have access to privileged
information; employees forget passwords or allow co-workers to use them;
 Faculty of Computing and Informatics

Information systems controls

• General controls – the design, security and use of computer programs and
the security of data files throughout an organisation’s IT infrastructure
• Software controls – monitor the use of systems software and prevent
unauthorised access to software programs, systems software and computer
programs
• Hardware controls – ensure computer hardware is physically secure and
check for equipment malfunction
• Computer operations controls – programmed procedures are consistently
and correctly applied to the storage and processing of data, e.g. backup and
recovery procedures
 Faculty of Computing and Informatics

Information systems controls

• Data security controls: ensure that valuable business data files are not
subject to unauthorized access , change or destruction while they are is use
or storage
• Implementation controls: Audit the systems development process at various
points to ensure that the process is properly controlled and managed
• Administrative controls: Formalise standards, rules, procedures and control
disciplines to ensure that the organisation’s general and application controls
are properly executed and enforced
 Faculty of Computing and Informatics

Information systems controls – application controls

• Application controls are specific controls that are unique to each
computerized application
• Input controls – check data for accuracy and completeness when they enter
the system
• Processing controls – establish that the data are complete and accurate
during updating
• Output controls – ensure that the results of computer processing are
accurate, complete and properly distributed
 Faculty of Computing and Informatics

Tools and technologies for safeguarding information resources

• Identity management and authentication – process of keeping track of all

users and their system privileges, assigning each user a unique digital identity
for accessing each system e.g. password, biometric identification, smart card
• Firewalls – prevent unauthorized users from accessing private networks. It is
a combination of hardware and software that controls the flow of incoming
and outgoing network traffic
• Intrusion detection systems – full-time monitoring tools are placed at the
most vulnerable points of networks to detect and deter intruders – sends an
alarm if it finds a suspicious event
 Faculty of Computing and Informatics

Tools and technologies for safeguarding information resources

• Anti-virus and anti-spyware software – prevents, detects and removes

malware, including viruses, worms, Trojan horses, spyware
• Unified Threat Management (UTM) – a single appliance of various security
tools including firewalls , virtual private networks (VPNs), intrusion-detection
systems and web filtering and anti-spam software
• Encryption – transforming text or data into cipher text that cannot be read by
anyone other than the sender and receiver. Data is encrypted using an
encryption key
 Faculty of Computing and Informatics

The business value of security and control in IS

• There is valuable information assets to protect, e.g. confidential information

about taxes, medical records and financial assets

• Inadequate security and control may result in serious legal liability and costly
litigation

• Computer forensics is the scientific collection, examination, authentication,

preservation and analysis of data held on or retrieved from computer storage
media in such a way that the information is used as evidence in a court of law
 13 Storch Street T: +264 61 207 2258
Private Bag 13388 F: +264 61 207 9258
Windhoek E: fci@nust.na
NAMIBIA W: www.nust.na

Faculty of Computing and Informatics

Thank You.