Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.
53 Pages
Chapter 15
Course: CET 3323C, Spring 2009School: UCF
Rating:
Word Count: 25741
Document Preview
and PART V Implementing Managing IT 13. 14. 15. 16. Information Technology Economics Building Information Systems Managing Information Resources and Security Impacts of IT on Organizations, Individuals, and Society (online) CHAPTER Managing Information Resources and Security Cybercrime in the New Millennium 15.1 The IS Department and End Users 15.2 The CIO in Managing the IS Department 15.3 IS Vulnerability...
Unformatted Document Excerpt
Coursehero >> Florida >> UCF >> CET 3323CCourse Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
and PART
V
Implementing Managing IT
13. 14. 15. 16.
Information Technology Economics Building Information Systems Managing Information Resources and Security Impacts of IT on Organizations, Individuals, and Society (online)
CHAPTER
Managing Information Resources and Security
Cybercrime in the New Millennium 15.1 The IS Department and End Users 15.2 The CIO in Managing the IS Department 15.3 IS Vulnerability and Computer Crimes 15.4 Protecting Information Resources: From National to Organizational Efforts 15.5 Securing the Web, Intranets, and Wireless Networks 15.6 Business Continuity and Disaster Management 15.7 Implementing Security: Auditing and Risk Analysis Minicases: (1) Home Depot / (2) Managing Security
679 LEARNING OBJECTIVES
15
After studying this chapter, you will be able to: Recognize the difculties in managing information resources. Understand the role of the IS department and its relationships with end users. Discuss the role of the chief information ofcer. Recognize information systems vulnerability, attack methods, and the possible damage from malfunctions. Describe the major methods of defending information systems. Describe the security issues of the Web and electronic commerce. Describe business continuity and disaster recovery planning. Understand the economics of security and risk management.
CYBERCRIME IN THE NEW MILLENNIUM
On January 1, 2000, the world was relieved to know that the damage to information systems due to the YK2 problem was minimal. However, only about six weeks into the new millennium, computer systems around the world were attacked, unexpectedly, by criminals. On February 6, 2000, the biggest e-commerce sites were falling like dominos. First was Yahoo, which was forced to close down for three hours. Next were eBay, Amazon.com, E*Trade, and several other major EC and Internet sites that had gone dark. The attacker(s) used a method called denial of service (DoS). By hammering a Web sites equipment with too many requests for information, an attacker can effectively clog a system, slowing performance or even crashing a site. All one needs to do is to get the DoS software (available for free in many hacking sites), break into unrelated unprotected computers and plant some software there, select a target site, and instruct the unprotected computers to repeatedly send requests for information to the target site. It is like constantly dialing a telephone number so that no one else can get through. It takes time for the attacked site to identify the sending computers and to block e-mails from them. Thus, the attacked site may be out-of-service for a few hours. The magnitude of the damage was so large that on February 9, the U.S. Attorney General pledged to track down the criminals and ensure that the Internet remains secure. This assurance did not last too long, as can be seen from the following story told by Professor Turban:
When I opened my e-mail on May 4, 2000, I noticed immediately that the number of messages was larger than usual. A closer observation revealed that about 20 messages were titled I LOVE YOU, and most of them came from faculty, secretaries, and administrators at City University of Hong Kong. It was not my birthday and there was no reason to believe that so many people would send me love messages the same day. My initial thought was to open one message to nd out whats going on. But, on second thought I remembered the Melissa virus and the instructions not to open any attachment of a strange e-mail. I picked up the telephone and called one of the senders, who told me not to open the attachment since it contained a deadly virus.
Although Professor Turbans system escaped the virus, thousands of users worldwide opened the love attachment and released the bug. It is interesting to note that the alleged attacker, from the Philippines, was not prosecuted because he did not break any law in the Philippines. The damage, according to Zetter and Miastkowski (2000), was estimated at $8.7 billion worldwide.
Sources: Compiled from news items during May 311, 2000, and from Zetter and Miastkowski (2000).
LESSONS LEARNED FROM THIS CASE May 2000 there have been more than a dozen major virus attacks, and Since hundreds of small ones, causing damages to organizations and individuals. (see Richardson, 2003). Clearly, information resources, including computers, networks, programs, and data, are vulnerable to unforeseen attacks. Attackers can zero in on a single
680
15.1 THE IS DEPARTMENT AND END USERS
681
company, or can attack many companies and individuals without discrimination, using various attack methods. Although variations of the attack methods are known, the defense against them is difcult and/or expensive. As the story of the love virus demonstrated, many countries do not have sufcient laws to deal with computer criminals. For all of these reasons, protection of networked systems can be a complex issue. The actions of people or of nature can cause an information system to function in a way different from what was planned. It is important, therefore, to know how to ensure the continued operation of an IS and to know what to do if the system breaks down. These and similar issues are of concern to the management of information resources, the subject of this chapter. In this chapter we look at how the IS department and end users work together; the role of the chief information ofcer; the issue of information security and control in general and of Web systems in particular. Finally, we deal with plans of business continuity after a disaster, and the costs of preventing computer hazards.
15.1
THE IS DEPARTMENT
AND
END USERS
Throughout this book, we have seen that information systems are used to increase productivity and help achieve quality, timeliness, and satisfaction for both employees and customers. Most large, many medium, and even some small organizations around the world are strongly dependent on IT. Their information systems have considerable strategic importance.
The IS Department in the Organization
IT resources are very diversied; they include personnel assets, technology assets, and IT relationship assets. The management of information resources is divided between the information services department (ISD) and the end users. Information resources management (IRM) encompasses all activities related to the planning, organizing, acquiring, maintaining, securing, and controlling of IT resources. The division of responsibility depends on many factors, beginning with the amount of IT assets and nature of duties involved in IRM, and ending with outsourcing policies. Decisions about the roles of each party are made during the IS planning (Chapter 9). (For some insights, see Sambamurthy et al., 2001.) A major decision that must be made by senior management is where the ISD is to report in the organizational hierarchy. Partly for historical reasons, a common place to nd the ISD is in the accounting or nance department. In such situations, the ISD normally reports to the controller or the chief nancial ofcer. The ISD might also report to one of the following: (1) a vice president of technology, (2) an executive vice president (e.g., for administration), or (4) the CEO.
THE IS DIRECTOR AS A CHIEF.
To show the importance of the IS area, some organizations call the director of IS a chief information ofcer (CIO), a title similar to chief nancial ofcer (CFO) and chief operating ofcer (COO). Typically, only important or senior vice presidents receive this title. Other common titles are: vice president for IS, vice president for information technology, or director of information systems. Unfortunately, as Becker (2003) reports, some companies provide the title CIO, but do not accord the position the importance other
682
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
chiefs are getting.) The title of CIO and the position to whom this person reports reect, in many cases, the degree of support being shown by top management to the ISD. The reporting relationship of the ISD is important in that it reects the focus of the department. If the ISD reports to the accounting or nance areas, there is often a tendency to emphasize accounting or nance applications at the expense of those in the marketing, production, and logistics areas. In some organizations the IS functions are distributed, depending on their nature (see Minicase 1). To be most effective, the ISD needs to take as broad a view as possible.
THE NAME AND POSITION OF THE IS DEPARTMENT. The name of the ISD is also important. Originally it was called the Data Processing (DP) Department. Then the name was changed to the Management Information Systems (MIS) Department and then to the Information Systems Department (ISD). In addition, one can nd names such as Information Technology Department, Corporate Technology Center, and so on. In very large organizations the ISD can be a division, or even an independent corporation (such as at Bank of America and at Boeing Corp.). Some companies separate their e-commerce activities, creating a special online division. This is the approach taken by Qantas Airways, for example. In others, e-commerce may be combined with ISD in a technology department or division. Becker (2003) reports on a study that shows that companies get the largest return from IT when they treat the ISD like any other important part of their business. The status of the ISD also depends on its mission and internal structure. Agarwal and Sambamurthy (2002) found in a survey that companies usually organize their IT function in one of the following: making IT an active partner in business innovation, providing IT resources for innovation and global reach, or seeking exibility via considerable amount of outsourcing. The increased role and importance of IT and its management both by a centralized unit and by end users, require careful understanding of the manner in which ISD is organized as well as of the relationship between the ISD and end users. These topics are discussed next. Also, for more on the connection between the ISD and the organization, see the IRM feedback model in Online File W15.1 at the books Web site.
The IS Department and End Users
It is extremely important to have a good relationship between the ISD and end users. Unfortunately, though, this relationship is not always optimal. The development of end-user computing and outsourcing was motivated in part by the poor service that end users felt they received from the ISD. (For the issue of how to measure the quality of IS services, see Jiang et al., 2002). Conicts occur for several reasons, ranging from the fact that priorities of the ISD may differ from those of the end users to lack of communication. Also, there are some fundamental differences between the personalities, cognitive styles, educational backgrounds, and gender proportion of the end users versus the ISD staff (generally more males in the ISD) that could contribute to conicts. An example of such conict is illustrated in IT At Work 15.1. The Minnesota situation is fairly common. One of this books authors, when acting as a consultant to an aerospace company in Los Angeles, found that end users frequently bought nonstandard equipment by making several smaller purchases instead of one large, because the smaller purchases did not require
15.1 THE IS DEPARTMENT AND END USERS
683
IT
At Work 15.1
MINNESOTAS DEPARTMENT OF TRANSPORTATION VIOLATES PROCEDURES
T
he Department of Transportation in Minnesota (dot.state.mn.us) had come across a hybrid PC system that would allow road surveys to be accomplished with less time and effort, and greater accuracy. The system would require two people to conduct a survey instead of the usual three, and because of the precision of the computer-based system, the survey could be done in half the time. The department ran into a problem because the ISD for the State of Minnesota had instituted standards for all PCs that could be purchased by any state agency. Specically, a particular brand of IBM PC was the only PC purchase allowed, without going through a special procedure. The red tape, as well as the unwillingness of the ISD to allow any deviation from the standard, caused a great deal of frustration.
As a last resort, the Department of Transportation procured the hybrid PC and camouaged the transaction as engineering equipment for conducting surveys. From that point on, its staff decided they would do what they needed to do to get their jobs done, and the less the ISD knew about what they were doing, the better. When asked why they behaved this way, the administrator of the Department of Transportation simply said, We have to do it this way because the ISD will either try to stop or hold up for a long period of time any decision we want to make, because they just are not familiar enough with the issues that we are facing in our department. For Further Exploration: What are the organizational risks when the Transportation Department takes this attitude? How can the conict be resolved?
authorization by the ISD. When asked if the ISD knew about this circumventing of the rules, a violating manager answered, Of course they know, but what can they dore me? Generally, the ISD can take one of the following four approaches toward end-user computing: 1. Let them sink or swim. Dont do anything, let the end user beware. 2. Use the stick. Establish policies and procedures to control end-user computing so that corporate risks are minimized, and try to enforce them. 3. Use the carrot. Create incentives to encourage certain end-user practices that reduce organizational risks. 4. Offer support. Develop services to aid end users in their computing activities. Each of these responses presents the IS executive with different opportunities for facilitation and coordination, and each has its advantages and disadvantages.
Fostering the ISD/End-User Relationships
The ISD is a service organization that manages the IT infrastructure needed to carry on end-user IT applications. Therefore, a partnership between the ISD and the end user is a must. This is not an easy task since the ISD is basically a technical organization that may not understand the business and the users. The users, on the other hand, may not understand information technologies. Also, there could be differences between the IDS (the provider) and the end users in terms of agreement on how to measure the IT services provided (quality, quantity) difculties (see Jiang et al., 2002). Another major reason for tense relationships in many organizations are the difculties discussed in Chapter 13 regarding the evaluation of IT investment (Seddon et al., 2002). To improve collaboration, the ISD and end users may employ three common arrangements: the steering committee, service-level agreements, and the information center. (For other strategies, see Online File W15.2.)
684
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
THE STEERING COMMITTEE. The corporate steering committee is a group of managers and staff representing various organizational units that is set up to establish IT priorities and to ensure that the ISD is meeting the needs of the enterprise (see Minicase 1). The committees major tasks are:
Direction setting. In linking the corporate strategy with the IT strategy, planning is the key activity (see Chapter 9 and Willcocks and Sykes, 2000). Rationing. The committee approves the allocation of resources for and within the information systems organization. This includes outsourcing policy. Structuring. The committee deals with how the ISD is positioned in the organization. The issue of centralizationdecentralization of IT resources is resolved by the committee. Stafng. Key IT personnel decisions involve a consultation-and-approval process made by the committee. Notable is the selection of the CIO and major IT outsourcing decisions. Communication. It is important that information regarding IT activities ows freely. Evaluating. The committee should establish performance measures for the ISD and see that they are met. This includes the initiation of service-level agreements.
The success of steering committees largely depends on the establishment of IT goverance, a formally established set of statements that should direct the policies regarding IT alignment with organizational goals, risk determination, and allocation of resources (Cilli, 2003).
SERVICE-LEVEL AGREEMENTS.
Service-level agreements (SLAs) are formal agreements regarding the division of computing responsibility between end users and the ISD and the expected services to be rendered by the ISD. A servicelevel agreement can be viewed as a contract between each end-user unit and the ISD. If a chargeback system exists, it is usually spelled out in the SLA. The process of establishing and implementing SLAs may be applied to each of the major computing resources: hardware, software, people, data, networks, and procedures. The divisions of responsibility in SLAs are based on critical computing decisions that are made by end-user managers, who agree to accept certain computing responsibilities and to turn over others to the ISD. Since end-user managers make these decisions, they are free to choose the amount and kind of support they feel they need. This freedom to choose provides a check on the ISD and encourages it to develop and deliver support services to meet end-user needs. An approach based on SLAs offers several advantages. First, it reduces nger pointing by clearly specifying responsibilities. When a PC malfunctions, everyone knows who is responsible for xing it. Second, it provides a structure for the design and delivery of end-user services by the ISD. Third, it creates incentives for end users to improve their computing practices, thereby reducing computing risks to the rm. Establishing SLAs requires the following steps: (1) Dene service levels. (2) Divide computing responsibility at each level. (3) Design the details of the service levels including measurement of quality (see Jiang et al. 2002). (4) Implement service levels. Kesner (2002) add to these: (5) Assign SLA owner (the person or department that who gets the SLA), (6) monitor SLA compliance, (7) analyze performance, (8) rene SLAs as needed, and (9) improve service to the department or company.
15.1 THE IS DEPARTMENT AND END USERS
685
Due to the introduction of Web-based tools for simplifying the task of monitoring enterprise networks, more attention has recently been given to servicelevel agreements, (Adams, 2000). (For an overview of SLAs, see Pantry and Grifths, 2002; for suggestions how to control SLAs, see Diao et al., 2002.)
THE INFORMATION CENTER. The concept of information center (IC) (also known as the users service center, technical support center or IS help center) was conceived by IBM Canada in the 1970s as a response to the increased number of end-user requests for new computer applications. This demand created a huge backlog in the IS department, and users had to wait several years to get their systems built. Today, ICs concentrate on end-user support with PCs, client/server applications, and the Internet/intranet, helping with installation, training, problem resolution, and other technical support. The IC is set up to help users get certain systems built quickly and to provide tools that can be employed by users to build their own systems. The concept of the IC, furthermore, suggests that the people in the center should be especially oriented toward the users in their outlook. This attitude should be shown in the training provided by the staff at the center and in the way the staff helps users with any problems they might have. There can be one or several ICs in an organization, and they report to the ISD and/or the end-user departments. Further information on the purpose and activities of the IC is provided in Online File W15.3.
The New IT Organization
To carry out its mission in the digital economy, the ISD needs to adapt. Rockart et al. (1996) proposed eight imperatives for ISDs, which are still valid today. These imperatives are summarized in Table 15.1. Information technology, as shown throughout this book, is playing a critical role in the livelihood of many organizations, small and large, private and
TABLE 15.1 The Eight Imperatives for ISDs in the Digital Age
Imperative The
Achieve two-way strategic alignment Develop effective relations with line manangement Develop and deploy new systems quickly Build and manage infrastructure Manage vendor relationships
New IT Organization
Description You must align IT and organizations strategies (Chapter 9). An efcient partnership must be cultured between the end users and the ISD. When companies compete on time, the speed of installing new applications and having them run properly are critical needs (Chapter 14). Infrastructure is a shared resource. Therefore its planning, architecture, and policy of use must be done properly (Chapter 9). As more vendors are used in IT projects, their management becomes critical. Vendor relations must be not only contractual, but also strategic and collaborative (Chapter 13). The skills of IT managers, staff, and technical people must be constantly updated. Using the Web, e-training is popular (Chapters 5, 7). With shrinking IT budgets and need for new equipment, systems must be very reliable and of high performance, as well as justiable in terms of cost (Chapter 13). Using a six-sigma approach is recommended. The ISD, its role, power sharing with end user, and outsourcing strategies must be carefully crafted.
Reskill the IT organization Build high performance
Redesign and manage the centralized IT organization
Source: Compiled from Rockart et al. (1996).
686
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
public, throughout the world. Furthermore, the trend is for even more IT involvement. Effective ISDs will help their rms apply IT to transform themselves to e-businesses, redesign processes, and access needed information on a tight budget. For more on managing IT in the digital era, see Sambamurthy et al. (2001).
15.2
THE CIO
IN
MANAGING
THE
IS DEPARTMENT
Managing the ISD is similar to managing any other organizational unit. The unique aspect of the ISD is that it operates as a service department in a rapidly changing environment, thus making the departments projections and planning difcult. The equipment purchased and maintained by the ISD is scattered all over the enterprise, adding to the complexity of ISD management. Here we will discuss only one issue: the CIO and his or her relationship with other managers and executives.
The Role of the Chief Information Ofcer
The changing role of the ISD highlights the fact that the CIO is becoming an important member of the organizations top management team (Ross and Feeny, 2000). Also, the experience of 9/11 changed the role of the CIO, placing him or her in a more important organizational position (see Ball, 2002) because of the organizations realization of the need for IT-related disaster planning and the importance of IT to the organizations activities. A survey conducted in 1992 found that the prime role of the CIO was to align IT with the business strategy. Secondary roles were to implement state-ofthe-art solutions and to provide and improve information access. These roles are supplemented today by several strategic roles because IT has become a strategic resource for many organizations. Coordinating this resource requires strong IT leadership and ISD/end-user collaboration within the organization. In addition, CIOCEO relationships are crucial for effective, successful utilization of IT, especially in organizations that greatly depend on IT, where the CIO joins the top management chiefs group. The CIO in some cases is a member of the corporate executive committee, the most important committee in any organization, which has responsibility for strategic business planning. Its members include the chief executive ofcer and the senior vice presidents. The executive committee provides the top-level oversight for the organizations information resources. It guides the IS steering committee that is usually chaired by the CIO. Related to the CIO is the emergence of the chief knowledge ofcer (CKO, see Chapter 10). A CIO may report to the CKO, or the same person may assume both roles, especially in smaller companies. Major responsibilities that are part of the CIOs evolving role are listed in Online File W15.4. According to Ross and Feeny (2000) and Earl (19992000), the CIOs role in the Web-based era is inuenced by the following three factors:
The CIO in the Web-Based Era
Technology and its management are changing. Companies are using new Web-based business models. Conventional applications are being transformed to Web-based. There is increasing use of B2B e-commerce, supply chain management, CRM, ERP (see Willcocks and Sykes, 2000) and knowledge management applications. The application portfolio includes more and more Web-based applications.
15.3 IS VULNERABILITY AND COMPUTER CRIMES
687
Executives attitudes are changing. Greater attention is given to opportunities and risks. At the very least, CIOs are the individuals to whom the more computer literate executives look for guidance, especially as it relates to e-business. Also, executives are more willing to invest in IT, since the costbenet ratio of IT is improving with time. Interactions with vendors are increasing. Suppliers of IT, especially the major ones (HP, Cisco, IBM, Microsoft, Sun, Intel, and Oracle), are inuencing the strategic thinking of their corporate customers. The above factors shape the roles and responsibilities of the CIO in the following seven ways: (1) The CIO is taking increasing responsibility for dening the strategic future. (2) The CIO needs to understand (with others in the organization) that the Web-based era is more about fundamental business change than about technology. (3) The CIO is responsible for protecting the ever increasing IT assets, including the Web infrastructure, against ever-increasing hazards including terrorists attacks. (4) The CIO is becoming a business visionary who drives business strategy, develops new business models on the Web, and introduces management processes that leverage the Internet, intranets, and extranets. (5) The CIO needs to argue for a greater measure of central control. For example, placing inappropriate content on the Internet or intranets can be harmful and needs to be monitored and coordinated. (6) The IT asset-acquisition process must be improved. The CIO and end users must work more closely than ever before. (7) The increased networked environment may lead to disillusionment with ITan undesirable situation that the CIO should help to avoid. These seven challenges place lots of pressure on CIOs, especially in times of economic decline (see Leidner et al. 2003). As a result of the considerable pressures they face, CIOs may earn very high salaries (up to $1,000,000/year in large corporations), but there is high turnover at this position (see Earl, 1999/2000 and Sitonis and Goldberg, 1997). As technology becomes increasingly central to business, the CIO becomes a key mover in the ranks of upper management. For example, in a large nancial institutions executive committee meeting, attended by one of the authors, modest requests for additional budgets by the senior vice presidents for nance and for marketing were turned down after long debate. But, at the same meeting the CIOs request for a tenfold addition was approved in only a few minutes. It is interesting to note that CEOs are acquiring IT skills. According to Duffy (1999), a companys best investment is a CEO who knows technology. If both the CIO and the CEO have the necessary skills for the information age, their company has the potential to ourish. For this reason some companies promote their CIOs to CEOs. According to eMarketer Daily (May 12, 2003), CEOs see security as the second most important area for IT over the next two to three years. We will now turn our attention to one area where the CIO is expected to leadthe security of information systems in the enterprise.
15.3
IS VULNERABILITY
AND
COMPUTER CRIMES
Information resources are scattered throughout the organization. Furthermore, employees travel with and take home corporate computers and data. Information is transmitted to and from the organization and among the organizations
688
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
TABLE 15.2 IT Security Terms
Term Backup Decryption Encryption Exposure Fault tolerance Denition An extra copy of the data and/or programs, kept in a secured location(s). Transformation of scrambled code into readable data after transmission. Transformation of data into scrambled code prior to its transmission. The harm, loss, or damage that can result if something has gone wrong in an information system. The ability of an information system to continue to operate (usually for a limited time and/or at a reduced level) when a failure occurs. The procedures, devices, or software that attempt to ensure that the system performs as planned. A guarantee of the accuracy, completeness, and reliability of data. System integrity is provided by the integrity of its components and their integration. The likelihood that a threat will materialize The various dangers to which a system may be exposed. Given that a threat exists, the susceptibility of the system to harm caused by the threat.
Information system controls Integrity (of data)
Risk Threats (or hazards) Vulnerability
components. IS physical resources, data, software, procedures, and any other information resources may therefore be vulnerable, in many places at any time. Before we describe the specic problems with information security and some proposed solutions, it is necessary to know the key terminology in the eld. Table 15.2 provides an overview of that terminology.
Information Systems Breakdowns
Most people are aware of some of the dangers faced by businesses that are dependent on computers. Information systems, however, can be damaged for many other reasons. The following incidents illustrate representative cases of breakdowns in information systems. On September 12, 2002, Spitre Novelties fell victim to what is called a brute force credit card attack. On a normal day, the Los Angelesbased company generates between 5 and 30 transactions. That Thursday, Spitres credit card transaction processor, Online Data Corporation, processed 140,000 fake credit card charges, worth $5.07 each. Of these, 62,000 were approved. The total value of the approved charges was around $300,000. Spitre found out about the transactions only when they were called by one of the credit card owners who had been checking his statement online and had noticed the $5.07 charge. Brute force credit card attacks require minimal skill. Hackers simply run thousands of small charges through merchant accounts, picking numbers at random. (For details on a larger credit card scams see money.cnn.com/2003/02/18/ technology/creditcards/index.htm.)
INCIDENT 1. INCIDENT 2.
In January 2003 a hacker stole from the database of Moscows MTS (mobile phone company) the personal details (passport number, age, home
15.3 IS VULNERABILITY AND COMPUTER CRIMES
689
address, tax ID number and more) of 6 million customers, including Russias president V. V. Putin, and sold them on CD ROMs for about $15 each. The database can be searched by name, phone number, or address. The information can be used for crimes such as identity theft, where someone uses the personal information of others to create a false identify and then uses it for some fraud. (e.g., get a fake credit card). In Russia neither the theft of such information nor its sale was illegal (see Walsh, 2003).
INCIDENT 3. Destructive software (viruses, worms, and their variants, which are dened and discussed more fully later in the chapter) is ooding the Internet. Here are some examples of the 2003 vintage: SQL Slammer is a worm that carries a self-regenerating mechanism that enable it to multiply quickly across the Internet. It is so good at replicating, that it quickly generates a massive amount of data, which slowed Internet trafc mainly in South Korea, Japan, Hong Kong, and some European countries in January 2003. It is a variation of Code Red, that slowed trafc on the Internet in July 2001. On May 18, 2003, a new virus that masqueraded as an e-mail from Microsoft technical support attacked computers in 89 countries. In June 2003, a high-risk virus w32/ Bugbear started to steal VISA account information (see Bugbear worm steals, 2003). INCIDENT 4.
On March 15, 2003, a student hacked into the University of Houston computer system and stole Social Security numbers of 55,000 students, faculty, and staff. The student was charged with unauthorized access to protected computers using someone elses ID, with intent to commit a federal crime. The case is still in the courts, and prison time is a possibility.
INCIDENT 5. On February 29, 2000, hundreds of automated teller machines (ATMs) in Japan were shut down, a computer system at a nuclear plant seized up, weather-monitoring devices malfunctioned, display screens for interest rates at the post ofces failed, seismographs provided wrong information, and there were many other problems related to programming for leap year. The problem was that years that end in 00 do not get the extra day, added every four years, unless they are divisible by 400 (2000 is such a leap year, but not 1900, or 2100). This rule was not programmed properly in some old programs in Japan, thus creating the problems. In May 2001, a glitch in Japans air-trafc systems grounded 1,600 domestic ights for 30 minutes while the system was operated manually. INCIDENT 6. For almost two weeks, a seemingly legitimate ATM operating in a shopping mall near Hartford, Connecticut, gave customers apologetic notes that said, Sorry, no transactions are possible. Meanwhile, the machine recorded the card numbers and the personal identication numbers that hundreds of customers entered in their vain attempts to make the machine dispense cash. On May 8, 1993, while the dysfunctional machine was still running in the shopping mall, thieves started tapping into the 24-hour automated teller network in New York City. Using counterfeit bank cards encoded with the numbers stolen from the Hartford customers, the thieves removed about $100,000 from the accounts of innocent customers. The criminals were successful in making an ATM machine do what it was supposedly designed not to do: breach its
690
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
own security by recording bank card numbers together with personal security codes.
INCIDENT 7.
Netscape security is aimed at scrambling sensitive nancial data such as credit card numbers and sales transactions so they would be safe from break-ins, by using a powerful 128-bit program. However, using 120 powerful workstations and two supercomputers, in 1996 a French student breached the encryption program in eight days, demonstrating that no program is 100 percent secure.
INCIDENT 8. In 1994 a Russian hacker (who did not know much English) broke into a Citibank electronic funds transfer system and stole more than $10 million by wiring it to accounts around the world. Since then, Citibank, a giant bank that moves about a trillion dollars a day, increased its security measures, requiring customers to use electronic devices that create new passwords very frequently. INCIDENT 9.
On April 30, 2000, the London Stock Exchange was paralyzed by its worst computer system failure, before nally opening nearly eight hours late. A spokesman for the exchange said the problem, which crippled the supply of prices and rm information, was caused by corrupt data. He gave no further details. Dealers were outraged by the fault, which came on the last day of the tax year and just hours after violent price swings in the U.S. stock markets. The British Financial Services Authority said it viewed the failure seriously, adding it would insist any necessary changes to systems be made immediately and that lessons were learned rapidly to ensure the breakdown was not repeated. These incidents and the two in the opening case illustrate the vulnerability of information systems, the diversity of causes of computer security problems, and the substantial damage that can be done to organizations anywhere in the world as a result. The fact is that computing is far from secure (e.g., see Austin and Darby, 2003, and the 2003 FBI report in Richardson, 2003).
System Vulnerability
Information systems are made up of many components that may be housed in several locations. Thus, each information system is vulnerable to many potential hazards or threats. Figure 15.1 presents a summary of the major threats to the security of an information system. Attacks on information systems can be either on internal systems (suffered by about 30% of the responding organizations in the CSI/FBI survey, as reported in Richardson, 2003), or via remote dial-ins (18%), or on Internet-based systems (78%). (See also sons.org/top20, for the most critical Internet security vulnerabilites.) According to CVE (Common Vulnerabilities and Exposure, an organization based at Mitre Corp. that provides information, educations, and advice regarding IT vulnerabilities and exposure, along with solutions)(cve.mitre.org/about/ terminology.html), there is a distinction between vulnerability and exposure:
A universal vulnerability is a state in a computing system (or set of systems) which either: allows an attacker to execute commands as another user; allows an attacker to access data that is contrary to the specied access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service.
15.3 IS VULNERABILITY AND COMPUTER CRIMES
691
Access Abuse of controls
Viruses
Accidental errors in processing storage
Firewall Local Area Network Denial of services Internet Database Unauthorized access Copying Theft Hardware Failure of protection mechanisms Contribution to software failure Installation (use) of unauthorized Systems Software
Failure of protection mechanisms Information leakage
Installing unauthorized aoftware
Application Programmer
Programming of applications
to behave contrary to specification
Tap Crosstalk Database Processor Terminals
Located in insecure
environment
Access rules
Radiation Systems Programmer Bypassing security mechanisms Disabling security mechanisms Installing insecure system PCs Fraudulent identification Illegal leakage of authorized information Viruses (on disks) Physical theft
Operator Duplication of confidential reports Initializing insecure system Theft of confidential material
External Environment Authorizer Incorrect specification of security policy
Natural disasters Malicious attacks Unauthorized access to computer center
Illiegal or illicit use of computing resources Electronic theft Fraud
FIGURE 15.1 Security threats.
An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem according to some reasonable security policy.
We will use the term vulnerability here to include exposure as well (including unintentional threats). Incidentally, by 2002 the CVE identied more than 5,000 different security issues and problems (see Mitre, 2002). The vulnerability of information systems is increasing as we move to a world of networked and especially wireless computing. Theoretically, there are hundreds of points in a corporate information system that can be subject to some threats. And actually, there are thousands of different ways that information systems can be attacked or damaged. These threats can be classied as unintentional or intentional.
UNINTENTIONAL THREATS.
Unintentional threats can be divided into three major categories: human errors, environmental hazards, and computer system failures.
692
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
A CLOSER LOOK 15.1 COMPUTER GLITCHES DELAY AIRPORT OPENINGS
hen the multibillion-dollar airport was opened in Hong Kong on July 6, 1999, a combination of computer glitches and unprepared personnel turned the airport into chaos. Both travelers and cargo were affected. For example, one software bug erased all inventory records, leaving no clue as to who owned what. Another software bug erased ight information from monitors, preventing passengers from nding ights. Computer problems in the baggage system resulted in 10,000 lost bags. Fresh food and seafood being shipped to restaurants
W
and hotels got spoiled, and considerable business was lost. In the United States, Denvers airport, which opened in 1995, had been plagued by computer glitches as well (see Chapter 14). Similarly, in Malaysia, when a new facility opened on July 1, 1999, a computerized total airport management system collapsed on the rst day. In all these airport cases, the problem was not external hackers attacks or internal intentional acts. The bugs resulted from poor IS planning, lack of coordination, and insufcient testing.
Many computer problems result from human errors. Errors can occur in the design of the hardware and/or information system. They can also occur in the programming, testing, data collection, data entry, authorization, and instructions. Human errors contribute to the vast majority (about 55 percent) of controland security-related problems in many organizations. Environmental hazards include earthquakes, sever storms (e.g., hurricanes, snow, sand, lightning, and tornadoes), oods, power failures or strong uctuations, res (the most common hazard), defective air conditioning, explosions, radioactive fallout, and water-cooling-system failures. In addition to damage from combustion, computer resources can incur damage from other elements that accompany re, such as smoke, heat, and water. Such hazards may disrupt normal computer operations and result in long waiting periods and exorbitant costs while computer programs and data les are recreated. Computer systems failures can occur as the result of poor manufacturing or defective materials. Unintentional malfunctions can also happen for other reasons, ranging from lack of experience to inappropriate testing. See A Closer Look 15.1 for the story about recent systems failures at airport.
INTENTIONAL THREATS. As headlines about computer crime indicate, computer systems may be damaged as a result of intentional actions as well. These account for about 30 percent of all computer problems, according to the Computer Security Institute (gocsi.com), but the monetary damage from such actions can be extremely large. Examples of intentional threats include: theft of data; inappropriate use of data (e.g., manipulating inputs); theft of mainframe computer time; theft of equipment and/or programs; deliberate manipulation in handling, entering, processing, transferring, or programming data; labor strikes, riots, or sabotage; malicious damage to computer resources; destruction from viruses and similar attacks; and miscellaneous computer abuses and Internet fraud. In addition, while terrorists attack do not usually directly target computers, the computers and information systems can be destroyed in such cases, as happened in the 9/11 disaster in New York and Washington, D.C. Intentional
15.3 IS VULNERABILITY AND COMPUTER CRIMES
693
threats can even be against whole countries. Many fear the possibility of cyberattacks by some countries against others.
Computer Crimes
According to the Computer Security Institute (gocsi.com), 64 percent of all corporations experienced computer crimes in 1997. The gures in the years 1998 through 2003 were even higherabout 96 percent in 2003 (per Richardson, 2003). The number, magnitude, and diversity of computer crimes are increasing. Lately, increased fraud related to the Internet and e-commerce is in evidence. For an overview of computer crime, see Loundy, 2003; for FBI statistics for 2002/2003, see Richardson, 2003. In many ways, computer crimes resemble conventional crimes. They can occur in various ways. First, the computer can be the target of the crime. For example, a computer may be stolen or destroyed, or a virus may destroy data. The computer can be the medium or tool of the attack, by creating an environment in which a crime or fraud can occur. For example, false data are entered into a computer system to mislead individuals examining the nancial condition of a company. Finally, the computer can be used to intimidate or deceive. For instance, a stockbroker stole $50 million by convincing his clients that he had a computer program with which he could increase their return on investment by 60 percent per month. Crimes done on the Internet, called cybercrimes (discussed later), can fall into any of these categories. Crimes can be performed by outsiders who penetrate a computer system (frequently via communication lines) or by insiders who are authorized to use the computer system but are misusing their authorization. Hacker is the term often used to describe an outside person who penetrated a computer system. For an overview of hacking and the protection against it, see Fadia (2002). A cracker is a malicious hacker, who may represent a serious problem for a corporation. Hackers and crackers may involve unsuspecting insiders in their crimes. In a strategy called social engineering, computer criminals or corporate spies build an inappropriate trust relationship with insiders for the purpose of gaining sensitive information or unauthorized access privileges. For description of social engineering and some tips for prevention see Damle (2002) and Online File W15.5. Computer criminals, whether insiders or outsiders, tend to have a distinct prole and are driven by several motives (see Online File W15.6). Ironically, many employees t this prole, but only a few of them are criminals. Therefore, it is difcult to predict who is or will be a computer criminal. Criminals use various and frequently innovative attack methods. A large proportion of computer crimes are performed by insiders. According to Richardson (2003) the likely sources of attacks on U.S. companies are: independent hackers (82%), disgruntled employees (78%), U.S. competitors (40%), foreign governments (28%), foreign corporations (25%). In addition to computer criminals against organizations there is an alarming increase of fraud done against individuals, on the Internet. These are a part of cybercrimes.
TYPES OF COMPUTER CRIMES AND CRIMINALS. CYBERCRIMES.
The Internet environment provides an extremly easy landscape for conducting illegal activities. These are known as cybercrimes, meaning they are executed on the Internet. Hundreds of different methods and
694
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
tricks are used by innovative criminals to get money from innocent people, to buy without paying, to sell without delivering, to abuse people or hurt them, and much more. According to Sullivan (2003), between January 1, and April 30, 2003, agencies of the U.S. government uncovered 89,000 victims from whom Internet criminals bilked over $176 million. As a result, on May 16, 2003, the U.S. Attorney General announced that 135 people were arrested nationwide and charged with cybercrime. The most common crimes were investment swindles and identity theft. The Internet with its global reach has also resulted in a growing amount of cross-border fraud (see A Closer Look 15.2). Identity Theft. A growing cybercrime problem is identity theft, in which a criminal (the identity thief ) poses as someone else. The thief steals Social Security numbers and credit card numbers, usually obtained from the Internet, to commit fraud (e.g., to buy products or consume services) that the victim is required to pay for later. The biggest damage to the person whose identity was stolen is to restore the damaged credit rating. For details and commercial solutions see idthief.com.
CYBERWAR.
There is an increasing interest in the threat of cyberwar, in which a countrys information systems could be paralyzed by a massive attack of destructive software. The target systems can range from the ISs of business, industry, government services, and the media to military command systems. One aspect of cyberwar in cyberterrorism, which refers to Internet terrorist attacks. These attacks, like cyberwar, can risk the national information infrastructure. The U.S. President Critical Infrastructure Protection Board (CIPB) is preparing protection plans, policies, and strategies to deal with cyberterrorism. The CIPS is recommending investment in cybersecurity programs. Some of the areas of the CIPB report are: a general policy on information security; asset protection requirements, including controls to ensure the return or destruction of information; technology insurance requirements; intellectual property rights; the right to monitor, and revoke, user activity; specication of physical and technical security standards; and communication procedures in time of emergency. (For more details and debates, see cdt.org/security/critinfra and ciao.gov. For more details on cyberterrorism, see Verton and Brownlow, 2003.) There are many methods of attack, and new ones appears regularly. Of the many methods of attack on computing facilities, the CSI/FBI reports (per Richardson, 2003) the following as most frequent (percentage of responding companies): virus (82%), insider abuse of Internet access (80%), unauthorized access by insiders (45%), theft of laptop (59%), denial of service (DoS) attack (42%), system penetration (36%), sabotage (21%), and theft of proprietary information (21%). In this section we look at some of these methods. Two basic approaches are used in deliberate attacks on computer systems: data tampering and programming attack. Data tampering, the most common means of attack, refers to entering false, fabricated, or fraudulent data into the computer or changing or deleting existing data. This is the method often used by insiders. For example, to pay for his wifes drug purchases, a savings and loan programmer transferred $5,000 into his personal account and tried to cover up the transfer with phony debit and credit transactions.
Methods of Attack on Computing Facilities
15.3 IS VULNERABILITY AND COMPUTER CRIMES
695
A CLOSER LOOK 15.2 CROSS-BORDER CYBERCRIMES
s the Internet grows, so do cross-border scams. According to the U.S. Federal Trade Commission (FTC), there was an increase in the complaints led by U. S. consumers about cross-border scams, of 74 percent in 2002 (to 24,213) (Davidson, 2003). Most complaints involved advance-fee loans, foreign cash offers, and sweepstakes. Scammers based in one country elude authorities by victimizing residents of others, using the Internet.: For example, David Lee, a 41-year-old Hong Kong resident, replied to an advertisement in a respected business magazine that offered him free investment advice. After he replied, he received professional-looking brochures and a telephone sales speech. Then he was directed to the Web site of Equity Mutual Trust (Equity) where he was able to track the impressive daily performance of a fund that listed ofces in London, Switzerland, and Belize. From that Web site he was linked to sister funds and business partners. Lee also was linked to what he believed was the well-known investment-fund evaluator company Morningstar (morningstar.com). Actually, the site was an imitation that replicated the original site. The imitation site provided a very high, but false, rating on the Equity Mutual Trust funds. Finally, Lee was directed to read about Equity and its funds in the respected International Herald Tribunes Internet edition; the article appeared to be news but was actually an advertisement. Convinced that he would receive super short-term gains, he mailed US$16,000, instructing Equity to invest in the Grand Financial Fund. Soon he grew suspicious when letters from Equity came from different countries, telephone calls and e-mails were not answered on time, and the daily Internet listings dried up. When Lee wanted to sell, he was advised to increase his investment and shift to a Canadian company, Mit-Tec, allegedly a Y2K-bug troubleshooter. The Web site he was directed to looked fantastic. But this time Lee was careful. He contacted the nancial authorities in the Turks and Caicos Islandswhere Equity was based at that time and was referred to the British police.
A
Soon he learned that chances were slim that he would ever see his money again. Furthermore, he learned that several thousand victims had paid a total of about $4 billion to Equity. Most of the victims live in Hong Kong, Singapore, and other Asian countries. Several said that the most convincing information came from the Web sites, including the independent Web site that rated Equity and its funds as safe, ve-star funds. According Davidson (2003) the FTC admitted that the laws in the United States and other countries) are set up based on an old-economy view and are not effective enough in cross-border cases involving new-economy realities. To solve the problem, some countries (e.g., Germany, Netherlands) rely on self-regulatory business groups that can merely urge an offending company to change its practice. Some countries try to bar rogue marketers from conducting unethical or even illegal marketing activities, but cannot even impose nancial sanctions. Offending companies are simply looking for jurisdictions of convenience. (Incidentally, the same situation exists with companies that support free le sharing, such as Kaaza; they are operating from outside the United States and so are not subject to U.S. laws, however outdated they may be.) What can be done? In June 2003, 29 nations belonging to the Organization for Economic Cooperation and Development (OECD) announced an agreement on unied guidelines for far greater cooperation in persecuting online scammers, and in enforcement of existing laws. There will be information sharing and collaboration among investigators from different countries (e.g., relaxing privacy rules that in most nations, including the United States, now strictly limit the information that can be shared). Participating countries will try to pass laws adopting the guidelines. For example, in the United States, which has the most victims of cross-border fraud, a pending bill in Congress would give the FTC new authority to prosecute cross-border fraud.
Sources: Compiled from Davidson (2003), from ftc.org, and a news item in South China Morning Post (Hong Kong, May 21, 1999).
Programming attack is popular with computer criminals who use programming techniques to modify a computer program, either directly or indirectly. For this crime, programming skills and knowledge of the targeted systems are essential. Programming attacks appear under many names, as shown in
696
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
TABLE 15.3 Methods of Programming Attack on Computer Systems
Method Virus Denition Secret instructions inserted into programs (or data) that are innocently run during ordinary tasks. The secret instructions may destroy or alter data, as well as spread within or between computer systems. A program that replicates itself and penetrates a valid computer system. It may spread within a network, penetrating all connected computers. An illegal program, contained within another program, that sleeps until some specic event occurs, then triggers the illegal program to be activated and cause damage. A program designed to siphon off small amounts of money from a number of larger transactions, so the quantity taken is not readily apparent. A method of using a utility zap program that can bypass controls to modify programs or data. A technique that allows for breaking into a program code, making it possible to insert additional instructions. An instruction that triggers a delayed malicious act. Too many requests for service, which crashes the site. A program that searches for passwords or content in a packet of data as they pass through the Internet. Faking an e-mail address or Web page to trick users to provide information or send money. A password that tries to guess passwords (can be very successful). Programs that automatically dial thousands of telephone numbers in an attempt to identify one authorized to make a connection with a modem; then one can use that connection to break into databases and systems. Invaders to a system create several entry points; even if you discover and close one, they can still get in through others. Small Java programs that misuse your computer resources, modify your le, send fake e-mail, etc.
Worm Trojan horse Salami slicing Superzapping Trap door Logic bomb Denial of services Sniffer Spoong Password cracker War dialing
Back doors Malicious applets
Table 15.3. Several of the methods were designed for Web-based systems. Viruses merit special discussion here due to their frequency, as do denial of service attacks, due to the effects they have had on computer networks.
VIRUSES. The most publicized and most common attack method is the virus. It receives its name from the programs ability to attach itself to (infect) other computer programs, without the owner of the program being aware of the infection (see Figure 15.2). When the software is used, the virus spreads, causing damage to that program and possibly to others. According to Bruno (2002), 93 percent of all companies experienced virus attacks in 2001, with an average loss of $243,845 per company. A virus can spread throughout a computer system very quickly. Due to the availability of publicdomain software, widely used telecommunications networks, and the Internet, viruses can also spread to many organizations around the world, as shown in the incidents listed earlier. Some of the most notorious viruses are international, such as Michelangelo, Pakistani Brain, Chernobyl, and Jerusalem. (For the history of viruses and how to ght them, see Zetter and Miastkowski, 2000.) When a virus is attached to a legitimate software program, the legitimate software is acting as a Trojan horse, a program that contains a hidden function that presents a security risk. The name is derived from the Trojan horse in
15.3 IS VULNERABILITY AND COMPUTER CRIMES
697
Just as a biological virus disrupts living cells to cause disease, a computer virusintroduced maliciously invades the inner workings of computers and disrupts normal operations of the machines.
2 The virus attaches itself and travels anywhere that the host program or piece of data travels, whether on floppy disk, local area networks, or bulletin boards. 1 A virus starts when a programmer writes a program that embeds itself in a host program.
FIGURE 15.2 How a computer virus can spread.
3 The virus is set off by either a time limit or some set of circumstances, possibly a simple sequence of computer operations by the user. Then it does whatever the virus programmer intended, whether it is to print Have a nice day or erase data.
Greek legend. The Trojan horse programs that present the greatest danger are those that make it possible for someone else to access and control a persons computer over the Internet. Well look at viruses and how to ght them later in the chapter, when we describe security on networks.
DENIAL OF SERVICE.
The opening case of this chapter described a denial of service incident. In a denial-of-service (DoS) attack, an attacker uses specialized software to send a ood of data packets to the target computer, with the aim of overloading its resources. Many attackers rely on software that has been created by other hackers and made available free over the Internet. With a distributed denial of service (DDoS) attack, the attacker gains illegal administrative access to computers on the Internet. With access to a large number of computers, the attacker loads the specialized DDoS software onto these computers. The software lies in wait for a command to begin the attack. When the command is given, the distributed network of computers begins sending out requests to one or more target computers. The requests can be legitimate queries for information or can be very specialized computer commands designed to overwhelm specic computer resources. The machines on which DDoS software is loaded are known as zombies (Karagiannis, 2003). Zombies are often located at university and government sites. Increasingly, with the rise of cable modems and DSL modems, home computers that are connected to the Internet and left on all the time have become good zombie candidates. DoS attacks are not new. In 1996, a New York Internet service provider had service disrupted for over a week by a DoS attack, denying service to over 6,000 users and 1,000 companies. A recent example of a DoS attack is the one on RIAA (Recording Industry Association of America) whose site (riaa.org) was rendered largely unavailable for a week starting January 24, 2003. The attack was done mainly by those who did not like the RIAAs attempts to ght pirated
698
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
music done by le sharing. Due to the widespread availability of free intrusion tools and scripts and the overall interconnectivity on the Internet, the intruder population now consists of virtually anyone with minimal computer experience (often a teenager with time on his hands). Unfortunately, a successful DoS attack can literally threaten the survival of an EC site, especially for SMEs.
ATTACKS VIA MODEMS. In many companies employees who are on the road use modems for dial-in access to the company intranet. Two types of modems exist: authorized and not authorized (known as rogue modems). The latter are installed by employees when there are no authorized modems, when it is inconvenient to use the authorized modems, or when the authorized modems provide only limited access. Modems are very risky. It is quite easy for attackers to penetrate them, and it is easy for employees to leak secret corporate information to external networks via rogue modems. In addition, software problems may develop, such as downloading programs with viruses or with a back door to the system. Back doors are created by hackers to repenetrate a system, once a successful penetration is made. For ways to protect systems that use modems, see White (1999.)
15.4
PROTECTING INFORMATION RESOURCES: FROM NATIONAL TO ORGANIZATIONAL EFFORTS
Organizations and individuals can protect their systems in many ways. Lets look rst at what protections the national efforts can provide. Then we will look at what organizations can do to protect information resources.
Representative Federal Laws Dealing with Computer Crime and Security
A crime means breaching the law. In addition to breaking regular law related to physically stealing computers or conducting fraud, computer criminals may break the specially legislated computer crime laws. According to the FBI, an average robbery involves about $3,000; an average white-collar crime involves $23,000; but an average computer crime involves about $600,000. Table 15.4 lists some key U.S. federal statutes dealing with computer crime. (For more on these laws, see epic.org/security. Legislation can be helpful but not sufcient. Therefore, the FBI has formed the National Infrastructure Protection Center (NIPC). This joint partnership between government and private industry is designed to prevent and protect the nations infrastructureits telecommunications, energy, transportation, banking and nance, and emergency, and governmental operations. The FBI has also established Regional Computer Intrusion Squads, which are charged with the task of investigating violations of the Computer Fraud and Abuse Act. The squads activities are focused on intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software, and other cybercrimes. Another national organization is the Computer Emergency Response Team (CERT) at Carnegie Mellon University (cert.org). The CERT Coordination Center (CC) consists of three teams: the Incident Handling Team, the Vulnerability Handling Team, and the Artifact Analysis Team. The Incident Handling Team receives incident reports of cyberattacks from Internet sites and provides information and
15.4 PROTECTING INFORMATION RESOURCES: FROM NATIONAL TO ORGANIZATIONAL EFFORTS
699
TABLE 15.4 Key U.S. Federal Statutes Dealing with Computer Crime
Federal Statute Counterfeit Access Device and Computer Crime Control Act (passed in October 1984) Computer Fraud and Abuse Act (1986), 18 USC, section 1030 Computer Abuse Amendment Act of 1994 Computer Security Act of 1987 Digital Privacy Act of 2000 Electronic Communications Privacy Act of 1986 Electronic Freedom of Information Act, 1996 Gramm Leach Bliley Act of 1999 National Information Infrastructure Protection Act of 1996 Patriot Act of 2001 Privacy Act of 1974 Electronic Funds Transfer Act of 1980 Video Privacy Protection Act of 1988 Key Provisions
Prohibits knowing transmission of computer viruses
guidance to the Internet community on combatting reported incidents. The Vulnerability Handling Team receives reports on suspected computer and network vulnerabilities, veries and analyzes the reports, and works with the Internet community to understand and develop countermeasures to those vulnerabilities. The Artifacts Analysis Team focuses on the code used to carry out cyberattacks (e.g., computer viruses), analyzing the code and nding ways to combat it.
Organizing for Information Security
Information security problems are increasing rapidly, causing damages to many organizations. Protection is expensive and complex. Therefore, companies must not only use controls to prevent or detect security problems, they must do so in an organized way, assigning responsibilities and authority throughout the organization (e.g., see Talleur, 2001 and Atlas and Young, 2002). Any program that is adopted must be supported by three organizational components: people, technology, and process (see Doughty, 2003). One way to approach the problem of organizing for security is similar to the familiar total quality management approachnamely, recognizing the importance of a corporatewide security program, which will deal with all kinds of security issues, including protecting the information assets. Doll et al. (2003), presents this approach as having six major characteristics:
Aligned. The program must be aligned with the organizational goals. Enterprisewide. Everyone in the organization must be included in the security program.
700
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
CEO Public Media Government Relations Public Media Government Relations
Privacy Officer Physical Security Continuity Planning Security Officer
Asset Management Asset Management Service Management
Planning
Architecture
Operations
Monitoring
FIGURE 15.3 Corporate security plan. (Source: Doll
et al., 2003.)
Business Requirements Education Formal Communications Governance Policies Project Management Risk Assessment
Request for Proposals (RFP) Standards & Guidelines Technical Requirements/ Design Technical Security Architecture Technology Solutions
Incident Response Access Control/ Account Management Investigations Standards/Solutions Deployment Training & Awareness Vulnerability/ Management
Auditing Reporting Systems Monitoring Security Testing
Continuous. The program must be operational all the time. Proactive. Do not wait for trouble; be aware and ready; use innovative, preventive, and protective measures. Validated. The program must be tested and validated to ensure it works. Formal. It must be a formal program with authority, responsibility, and accountability. A corporate security model proposed by Doll et al. (2003 is illustrated in Figure 15.3. Obviously, only very large organizations can afford such a comprehensive security model. We will present several of the components and concepts in the gure in the remaining portions of this chapter. A case study for implementing enterprise security is provided by Doughty (2003). A major issue is the role the person responsible for security (the chief security ofcer) is going to assume (see Robinson, 2003).
Controls and Awareness
Knowing about major potential threats to information systems is necessary, but understanding ways to defend against these threats is equally critical (see cert.org and sans.com). Defending information resources is not a simple nor inexpensive task. The major difculties of protecting information are listed in Table 15.5. Because of its importance to the entire enterprise, organizing an appropriate defense system is one of the major activities of any prudent CIO and of the functional managers who control information resources. As a matter of fact, IT security is the business of everyone in an organization. (see Pooley, 2002). Protection of information resources is accomplished mostly by inserting controls (defense mechanisms) intended to prevent accidental hazards, deter
15.4 PROTECTING INFORMATION RESOURCES: FROM NATIONAL TO ORGANIZATIONAL EFFORTS
701
TABLE 15.5 The Difculties in Protecting Information Resources
Hundreds of potential threats exist. Computing resources may be situated in many locations. Many individuals control information assets. Computer networks can be outside the organization and difcult to protect. Rapid technological changes make some controls obsolete as soon as they are installed. Many computer crimes are undetected for a long period of time, so it is difcult to learn from experience. People tend to violate security procedures because the procedures are inconvenient. Many computer criminals who are caught go unpunished, so there is no deterrent effect. The amount of computer knowledge necessary to commit computer crimes is usually minimal. As a matter of fact, one can learn hacking, for free, on the Internet. The cost of preventing hazards can be very high. Therefore, most organizations simply cannot afford to protect against all possible hazards. It is difcult to conduct a cost-benet justication for controls before an attack occurs since it is difcult to assess the value of a hypothetical attack.
intentional acts, detect problems as early as possible, enhance damage recovery, and correct problems. Controls can be integrated into hardware and software during the system development phase (a most efcient approach). They can also be added on once the system is in operation, or during its maintenance. The important point is that defense should stress prevention; defense does no good after the crime. In addition to controls a good defense system must include security awareness. All organizational members must be aware of security threats and watch for potential problems and crimes constantly. Suggestions of how to develop such programs are offered by security consultants (e.g., see Wiederkehr, 2003). Awareness training is recommended by Talleur (2001). Since there are many security threats, there are also many defense mechanisms. Controls are designed to protect all the components of an information system, specically data, software, hardware, and networks. In the next section, we describe the major ones.
Defense Strategy: How Do We Protect?
The selection of a specic defense strategy depends on the objective of the defense and on the perceived cost-benet. The following are the major objectives of defense strategies: 1. Prevention and deterrence. Properly designed controls may prevent errors from occurring, deter criminals from attacking the system, and better yet, deny access to unauthorized people. Prevention and deterrence are especially important where the potential damage is very high. (see Scalet, 2003). 2. Detection. It may not be economically feasible to prevent all hazards, and deterrence measures may not work. Therefore, unprotected systems are vulnerable to attack. Like a re, the earlier an attack is detected, the easier it is to combat, and the less damage is done. Detection can be performed in many cases by using special diagnostic software.
702
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
3. Limitation of damage. This strategy is to minimize (limit) losses once a malfunction has occurred. This can be accomplished by including a fault-tolerant system that permits operation in a degraded mode until full recovery is made. If a fault-tolerant system does not exist, a quick (and possibly expensive) recovery must take place. Users want their systems back in operation as quickly as possible. 4. Recovery. A recovery plan explains how to x a damaged information system as quickly as possible. Replacing rather than repairing components is one route to fast recovery. 5. Correction. Correcting the causes of damaged systems can prevent the problem from occurring again. 6. Awareness and compliance. Alls organization members must be educated about the hazards and must comply with the security rules and regulations. Any defense strategy that aim to atttain one or more of these objectives, may involve the use of several controls. The defense controls are divided in our discussion into two major categories: general controls and application controls. Each has several subcategories, as shown in Figure 15.4. General controls are established to protect the system regardless of the specic application. For example, protecting hardware and controlling access to the data center are independent of the specic application. Application controls are safeguards that are intended to protect specic applications. In the next two sections, we discuss the major types of these two groups of information systems controls.
Defense Control
General
Application
Physical Biometrics Access Web Controls Data Security
Input
Processing
Output
Communication
Authentication
Biometrics
Administrative
Encryption
Other
Cable Testers
Firewalls
FIGURE 15.4 Major defense controls.
Virus Protection
15.4 PROTECTING INFORMATION RESOURCES: FROM NATIONAL TO ORGANIZATIONAL EFFORTS
703
General Controls
The major categories of general controls are physical controls, access controls, data security controls, communications (networks) controls, and administrative controls.
PHYSICAL CONTROLS.
Physical security refers to the protection of computer facilities and resources. This includes protecting physical property such as computers, data centers, software, manuals, and networks. Physical security is the rst line of defense and usually the easiest to construct. It provides protection against most natural hazards as well as against some human hazards. Appropriate physical security may include several controls such as the following:
Appropriate design of the data center. For example, the site should be noncombustible and waterproof. Shielding against electromagnetic elds. Good re prevention, detection, and extinguishing systems, including sprinkler system, water pumps, and adequate drainage facilities. A better solution is re-enveloping Halon gas systems. Emergency power shutoff and backup batteries, which must be maintained in operational condition. Properly designed, maintained, and operated air-conditioning systems. Motion detector alarms that detect physical intrusion.
Another example of physical controls is the need to protect against theft of mobile computers. Such protection is important not only because of the loss of the computer but also because of loss of data. Several interesting protection devices are offered by targus.com.
ACCESS CONTROL. Access control is the restriction of unauthorized user access to a portion of a computer system or to the entire system. It is the major defence line against unauthorized insiders as well as outsiders. To gain access, a user must rst be authorized. Then, when the user attempts to gain access, he or she must be authenticated. Access to a computer system is basically consists of three steps: (1) physical access to a terminal, (2) access to the system, and (3) access to specic commands, transactions, privileges, programs, and data within the system. Access control software is commercially available for large mainframes, personal computers, local area networks, mobile devices and dial-in communications networks. Access control to networks is executed through rewalls and will be discussed later. Access procedures match every valid user with a unique user-identier (UID). They also provide an authentication method to verify that users requesting access to the computer system are really who they claim to be. User identication can be accomplished when the following identies each user:
Something only the user knows, such as a password. Something only the user has, for example, a smart card or a token. Something only the user is, such as a signature, voice, ngerprint, or retinal (eye) scan. It is implemented via biometric controls, which can be physiological or behavirol (see Alga, 2002) and whose cost is relativly very small.
704
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
Biometric Controls. A biometric control is an automated method of verifying the identity of a person, based on physiological or behavioral characteristics. The most common biometrics are the following:
Photo of face. The computer takes a picture of your face and matches it with a prestored picture. In 2002, this method was successful in correctly identifying users except in cases of identical twins. Fingerprints. Each time a user wants access, matching a ngerprint (nger scan) against a template containing the authorized persons ngerprint identies him or her. Note that in 2001 Microsoft introduced a software program, now a part of Windows, that allows users to use Sonys ngerprint recognition device. Computer manufacturers will start shipping laptops secured by ngerprint-scanning touchpads in 2004. These devices will reject unauthorized access. (see synaptics.com). Hand geometry. This biometric is similar to ngerprints except that the verier uses a television-like camera to take a picture of the users hand. Certain characteristics of the hand (e.g., nger length and thickness) are electronically compared against the information stored in the computer. Iris scan. This technology uses the colored portion of the eye to identify individuals (see iriscan.com). It is a noninvasive system that takes a photo of the eye and analyzes it. It is a very accurate method. Retinal scan. A match is attempted between the pattern of the blood vessels in the back-of-the-eye retina that is being scanned and a prestored picture of the retina. Voice scan. A match is attempted between the users voice and the voice pattern stored on templates. Signature. Signatures are matched against the prestored authentic signature. This method can supplement a photo-card ID system. Keystroke dynamics. A match of the persons keyboard pressure and speed against prestored information.
Several other methods, such as facial thermography, exist. Biometric controls are now integrated into many e-commerce hardware and software products (e.g., see keywaretechnologies.com). For an overview and comparison of technologies, see Jain et al. (1999 and 2000) and Alga (2002). Biometric controls do have some limitations: they are not accurate in certain cases, and some people see them as an invasion of privacy (see Cauleld, 2002).
DATA SECURITY CONTROLS. Data security is concerned with protecting data from accidental or intentional disclosure to unauthorized persons, or from unauthorized modication or destruction. Data security functions are implemented through operating systems, security access control programs, database/data communications products, recommended backup/recovery procedures, application programs, and external control procedures. Data security must address the following issues: condentiality of data, access control, critical nature of data, and integrity of data. Two basic principles should be reected in data security.
Minimal privilege. Only the information a user needs to carry out an assigned task should be made available to him or her.
15.4 PROTECTING INFORMATION RESOURCES: FROM NATIONAL TO ORGANIZATIONAL EFFORTS
705
TABLE 15.6 Representative Administrative Controls
Appropriately selecting, training, and supervising employees, especially in
accounting and information systems
Fostering company loyalty Immediately revoking access privileges of dismissed, resigned, or transferred
employees
Requiring periodic modication of access controls (such as passwords) Developing programming and documentation standards (to make auditing easier
and to use the standards as guides for employees)
Insisting on security bonds or malfeasance insurance for key employees Instituting separation of duties, namely dividing sensitive computer duties among
as many employees as economically feasible in order to decrease the chance of intentional or unintentional damage Holding periodic random audits of the system
Minimal exposure. Once a user gains access to sensitive information, he or she has the responsibility of protecting it by making sure only people whose duties require it obtain knowledge of this information while it is processed, stored, or in transit.
Data integrity is the condition that exists as long as accidental or intentional destruction, alteration, or loss of data does not occur. It is the preservation of data for their intended use.
COMMUNICATIONS AND NETWORKS CONTROLS. Network protection is becoming extremely important as the use of the Internet, intranets, and electronic commerce increases. We will discuss this topic in more detail in Section 15.5. ADMINISTRATIVE CONTROLS.
While the previously discussed general controls were technical in nature, administrative controls deal with issuing guidelines and monitoring compliance with the guidelines. Representative examples of such controls are shown in Table 15.6.
Several other types of controls are considered general. Representative examples include the following: Programming Controls. Errors in programming may result in costly problems. Causes include the use of incorrect algorithms or programming instructions, carelessness, inadequate testing and conguration management, or lax security. Controls include training, establishing standards for testing and conguration management, and enforcing documentation standards. Documentation Controls. Manuals are often a source of problems because they are difcult to interpret or may be out of date. Accurate writing, standardization updating, and testing are examples of appropriate documentation control. Intelligent agents can be used to prevent such problems. System Development Controls. System development controls ensure that a system is developed according to established policies and procedures. Conformity with budget, timing, security measures, and quality and documentation requirements must be maintained.
OTHER GENERAL CONTROLS.
706
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
Application Controls
General controls are intended to protect the computing facilities and provide security for hardware, software, data, and networks regardless of the specic application. However, general controls do not protect the content of each specic application. Therefore, controls are frequently built into the applications (that is, they are part of the software) and are usually written as validation rules. They can be classied into three major categories: input controls, processing controls, and output controls. Multiple types of application controls can be used, and management should decide on the appropriate mix of controls.
INPUT CONTROLS.
Input controls are designed to prevent data alteration or loss. Data are checked for accuracy, completeness, and consistency. Input controls are very important; they prevent the GIGO (garbage-in, garbage-out) situation. Four examples of input controls are: 1. Completeness. Items should be of a specic length (e.g., nine digits for a Social Security number). Addresses should include a street, city, state, and Zip code. 2. Format. Formats should in be standard form. For example, sequences must be preserved (e.g., Zip code comes after an address). 3. Range. Only data within a specied range are acceptable. For example, Zip code ranges between 10,000 to 99,999; the age of a person cannot be larger than say, 120; and hourly wages at the rm do not exceed $50. 4. Consistency. Data collected from two or more sources need to be matched. For example, in medical history data, males cannot be pregnant.
PROCESSING CONTROLS. Processing controls ensure that data are complete, valid, and accurate when being processed and that programs have been properly executed. These programs allow only authorized users to access certain programs or facilities and monitor the computers use by individuals. OUTPUT CONTROLS. Output controls ensure that the results of computer processing are accurate, valid, complete, and consistent. By studying the nature of common output errors and the causes of such errors, security and audit staff can evaluate possible controls to deal with problems. Also, output controls ensure that outputs are sent only to authorized personnel.
15.5
SECURING
THE
WEB, INTRANETS,
AND
WIRELESS NETWORKS
Some of the incidents described in Section 15.3 point to the vulnerability of the Internet and Web sites (see Sivasailam et al. 2002). As a matter of fact, the more networked the world becomes, the more security problems we may have. Security is a race between lock makers and lock pickers. Unless the lock makers have the upper hand, the future of the Internets credibility and of e-business is in danger. Over the Internet, messages are sent from one computer to another (rather than from one network to the other). This makes the network difcult to protect, since at many points people can tap into the network and the users may never know that a breach had occurred. For a list of techniques attackers can
15.5 SECURING THE WEB, INTRANETS, AND WIRELESS NETWORKS
707
TABLE 15.7 Attacking Web Applications
Category SQL injection Parameter tampering Cookie poisoning Hidden manipulation Backdoor and debug options Buffer overow Stealth commanding Third-party misconguration Known vulnerability Cross-site scripting Forceful browsing Description Passing SQL code into an application that was not intended to receive it Manipulating URL strings to retrieve information Altering the content of a cookie Changing hidden eld values Executing debug syntax on URLs Sending large numbers of characters to a Web site form/eld Attempting to inject Trojan horses in form submissions and run malicious or unauthorized code on the Web server Attempting to nd programming errors and explit them to attack systemvulnerabilities Exploiting all publicly known vulnerabilities Entering executable commands into Web site buffers Attempting to browse know/default directories that can be used in constructing an attack
Source: Modied from Stasiak (2002), Table 2.
use to compromise Web applications, in addition to what was described in Section 15.3, see Table 15.7. The table covers the major security measures of the Internet. Security issues regarding e-business are discussed in Chapters 5 and 6. McConnell (2002) divides Internet security measures into three layers: border security (access), authentication, and authorization. Details of these layers are shown in Figure 15.5. Several of these are discussed in some detail in the remainder of this chapter. Some commercial products include security measure for all three levels allin one product (e.g., WebShield from McAfee, and Firewall/VPN Appliance from Symantec). Many security methods and products are available to protect the Web. We briey describe the major ones in the following sections.
Border Security
The major objective of border security is access control, as seen in Figure 15.5. Several tools are available. First we consider rewalls.
FIREWALLS.
Hacking is a growing phenomenon. Even the Pentagons system, considered a very secure system, experiences more than 250,000 hacker inltrations per year, many of which are undetected (Los Angeles Times, 1998). It is
1st layer Border security 2nd layer Authentication Proof of identity
3rd layer Authorization Permissions based on identity
Network layer security
FIGURE 15.5 Three layers of Internet security measures. (Source: McConnell,
2002.)
Virus scanning Firewalls Intrusion Virtual private networking Denial-of-service protection
Username/passworg Password synchronization Public key Tokens Biometrics Single sign on
User/group permissions Enterprise directories Enterprise user administration Rules-based access control
708
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
believed that hacking costs U.S. industry several billion dollars each year. Hacking is such a popular activity that over 80,000 Web sites are dedicated to it. Firewalls provide the most cost-effective solution against hacking. (see Fadia, 2002). A rewall is a system, or group of systems, that enforces an access-control policy between two networks. It is commonly used as a barrier between the secure corporate intranet, or other internal networks, and the Internet, which is assumed to be unsecured. Firewalls are used to implement control-access policies. The rewall follows strict guidelines that either permit or block trafc; therefore, a successful rewall is designed with clear and specic rules about what can pass through. Several rewalls may exist in one information system. Firewalls are also used as a place to store public information. While visitors may be blocked from entering the company networks, they can obtain information about products and services, download les and bug-xes, and so forth. Useful as they are, rewalls do not stop viruses that may be lurking in networks. Viruses can pass through the rewalls, usually hidden in an e-mail attachment.
VIRUS CONTROLS.
Many viruses exist (about 100,000 known in 2003) and the number is growing by 30 percent a year according to the International Computer Security Association (reported by statonline, 2003). So the question is, What can organizations do to protect themselves against viruses? Some solutions against virus penetrations are provided in Zenkin (2001) and in Table 15.8. The most common solution is to use antivirus software is (e.g., from symantec.com). However, antivirus software provides protection against viruses only after they have attacked someone and their properties are known. New viruses are difcult to detect in their rst attack. The best protection against viruses is to have a comprehensive plan such as shown in A Closer Look 15.3.
INTRUSION DETECTING. Because protection against denial of service (see the opening vignette) is difcult, the sooner one can detect an usual activity, the better. Therefore, it is worthwhile to place an intrusion detecting device near the
TABLE 15.8 Protecting Against Viruses
Possible Mode of Entrance
Viruses pass through rewalls undetected
Countermeasure
User must screen all downloaded programs and
(from the Internet). Virus may be resident on networked server; all users are at risk. Infected oppy; local server system at risk; les shared or put on server can spread virus. Mobile or remote users exchange or update large amounts of data; risk of infection is greater. Virus already detected.
documents before use.
Run virus scan daily; comprehensive backup to restore
data; audit trail.
Use virus checker to screen oppies locally. Scan les before upload or after download; make
frequent backups.
Use a clean starter disk or recovery disk.
Source: Compiled from Nance (1996, updated 2003), p. 171.
15.5 SECURING THE WEB, INTRANETS, AND WIRELESS NETWORKS
709
A CLOSER LOOK 15.3 HOW TO MINIMIZE THE DAMAGE FROM VIRUSES
T
o minimize the damage from viruses, take the following preventive actions:
1. Install a good antivirus program. These are also known as gateway virus scanners. (e.g., Norton AntiVirus, McAfee, VirusScan). 2. Scan the hard drive for viruses at least weekly. 3. Write-protect your oppy disks and scan them before using them. 4. Write-protect your program disks. 5. Back up data fully and frequently. 6. Dont trust outside PCs. 7. Virus scan before laplinking or synchronizing les. 8. Develop an antivirus policy. 9. Identify the areas of risk in case of virus attack. These are: a. Direct losses (e.g., time spent to restore systems) b. Losses your customers and suppliers suffer when your system is down c. Losses to a third party to which your company had passed on a virus, possibly due to your employees negligence 10. Minimize losses by the following measures: a. Install strict employees guidelines dealing with e-mail viruses. b. Use a service provider to handle virus detection and control. This way you get the latest technology, make it more difcult for insiders to perform crimes, and may transfer the risk to the service provider.
c. Have contracts that will protect you from a legal action by your customers/suppliers who suffer damage when your systems are damaged (called a force majeure clause). d. Instruct your employees on how to scan all outgoing e-mails to your business partners. 11. The SANS Institute (sans.org) is an IT cooperative research and education organization for system administrators and security professionals; it has more than 96,000 members. SANS recommends the following guidelines for action during virus attacks: a. Preparation. Establish policy, design a form to be led when a virus is suspected (or known), and develop outside relationships. b. Identication. Collect evidence of attack, analyze it, notify ofcals (e.g., at cert.org). c. Containment. Back up the system to capture evidence, change passwords, determine the risk of continuing operations. d. Eradication. Determine and remove the cause, and improve the defense. e. Recovery. Restore and validate the system. f. Follow up. Write a follow-up report detailing lessons learned. 12. Get information and sometimes free software at the following sites: Antivirus.com cert.org pgp.com symantec.com ncsa.com rsa.com mcafee.com iss.net tis.com
entrance point of the Internet to the intranet (close to a rewall). The objective is early detection, and this can be done by several devices (e.g., BladeRunner from Raytheon, Praesidium from HP, Caddx from Caddx Controls, and IDS from Cisco). Intrusion detecting is done by different tools, such as statistical analysis or neural networks. Biermann et al. (2001) provide a comparison of 10 different methods and discuss which methods are better at detecting different types of intrusions.
PROTECTING AGAINST DENIAL OF SERVICE ATTACKS. After the February 6, 2000, DOS attack, the industry started to nd solutions. A special task force of experts was formed at the Internet Engineering Task Force (IETF); it included vendors and companies that were attacked. The IETF group developed procedures on what to do in the event of such attack. One approach suggested was
710
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
tracking the attacker in real time (e.g., by tracking the ow of data packets through the Net). Automated Attack Traceback. Investigation to nd attackers can be done manually, or can be automated. Attack traceback refers to a system that would identify the person responsible for a virus, DOS, or other attacks. For example, it would identify the computer host that is the source of the attack. Attackers usually try to hide their identity. The automatic traceback attempts to circumvent the methods used by attackers (such as zombies, discussed earlier). According to Lee and Shields (2002), however, the use of automatic attack traceback programs may raise legal issues (e.g., what data you can legally track).
VIRTUAL PRIVATE NETWORKING (VPN). The last major method of border security is a Virtual Private Network (VPN). A VPN uses the Internet to carry information within a company that has multiple sites and among known business partners, but it increases the security of the Internet by using a combination of encryption, authentication, and access control. It replaces the traditional private leased line and/or remote access server (RAS) that provide direct communication to a companys LAN (see Technology Guide 4). According to Prometheum Technologies (2003), costs can be reduced by up to 50 percent by using the VPN which can also be used by remote workers (here the savings can reach 6080 percent). Condentiality and integrity are assured by the use of protocol tunneling for the encryption. McKinley 2003). For further details on VPNs, see Garnkel (2002), Fadia (2002), and McKinley (2003).
Authentication
As applied to the Internet, an authentication system guards against unauthorized dial-in attempts. Many companies use an access protection strategy that requires authorized users to dial in with a preassigned personal identication number (PIN). This strategy is usually enhanced by a unique and frequently changing password. A communications access control system authenticates the users PIN and password. Some security systems proceed one step further, accepting calls only from designated telephone numbers. Access controls also include biometrics.
HOW AUTHENTICATION WORKS. The major objective of authentication is the proof of identity (see Figure 15.5). The attempt here is to identify the legitimate user and determine the action he/she is allowed to perform, and also to nd those posing as others. Such programs also can be combined with authorization, to limit the actions of people to what they are authorized to do with the computer once their identication has been authenticated. Authentication systems have ve key elements (Smith, 2002): (1) a person (or a group) to be authenticated; (2) a distinguishing characteristic that differentiates the person (group) from others; (3) a proprietor responsible for the system being used; (4) an authentication mechanism; and (5) an access control mechanism for limiting the actions that can be performed by the authenticated person (group). A stronger system is two-factor-authentication, which combines something one knows (password, answer to a query) with something one has (tokens,
15.5 SECURING THE WEB, INTRANETS, AND WIRELESS NETWORKS
711
biometrics). An access card is an example of a passive token, carried to enter into certain rooms or to gain access to a network. Active tokens are electronic devices that can generate a one-time password after being activated with a PIN. Note that public key systems (PKI, see Chapter 5) include an authentication feature.
Authorization
Authorization refers to permission issued to individuals or groups to do certain activities with a computer, usually based on veried identity. The security system, once it authenticates the user, must make sure that the user operates within his/her authorized activities. This is usually done by monitoring user activities and comparing them to the list of authorized ones. Other methods of protecting the Web and intranets include the following.
ENCRYPTION. As discussed in Chapter 5, encryption encodes regular digitized text into unreadable scrambled text or numbers, which are decoded upon receipt. Encryption accomplishes three purposes: (1) identication (helps identify legitimate senders and receivers), (2) control (prevents changing a transaction or message), and (3) privacy (impedes eavesdropping). Encryption is used extensively in e-commerce for protecting payments and for privacy. A widely accepted encryption algorithm is the Data Encryption Standard (DES), produced by the U.S. National Bureau of Standards. Many software products also are available for encryption. Trafc padding can further enhance encryption. Here a computer generates random data that are intermingled with real data, making it virtually impossible for an intruder to identify the true data. To ensure secure transactions on the Internet, VeriSign and VISA developed encrypted digital certication systems for credit cards. These systems allow customers to make purchases on the Internet without giving their credit card number. Cardholders create a digital version of their credit card, called virtual credit card (see Chapter 5) VeriSign conrms validity of the buyers credit card, and then it issues a certicate to that effect. Even the merchants do not see the credit card number. For further discussion of encryption, see sra.co and verisign.com. TROUBLESHOOTING.
Other Methods of Protection
A popular defense of local area networks (LANs) is troubleshooting. For example, a cable tester can nd almost any fault that can occur with LAN cabling. Another protection can be provided by protocol analyzers, which allow the user to inspect the contents of information packets as they travel through the network. Recent analyzers use expert systems, which interpret the volume of data collected by the analyzers. Some companies offer integrated LAN troubleshooting (a tester and an intelligent analyzer).
PAYLOAD SECURITY. Payload security involves encryption or other manipulation of data being sent over networks. Payload refers to the contents of messages and communication services among dispersed users. An example of payload security is Pretty Good Privacy (PGP), which permits users to inexpensively create and encrypt a message. (See pgp.com for free software.)
712
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
HONEYNETS. Companies can trap hackers by watching what the hackers are doing. These traps are referred to as honeypots; they are traps designed to work like real systems and attract hackers. A network of honeypots is called a honeynet. For details, see Piazza (2001) and honeynet.org.
Securing Your PC
Your PC at home is connected to the Internet and needs to be protected (Luhn and Spanbauer, 2002). Therefore, solutions such antivirus software (e.g., Norton Antivirus 2002) and a personal rewall are essential. (You can get a free Internet connection rewall with Microsoft Windows or pay $30$50 for products such as McAfee Firewall). If you use a gateway/router at home, you need to protect them as well, if they do not have built-in protection. You need protection against stealthware as well. Stealthware refers to hidden programs that comes with free software you download. These programs track your surng activities, reporting it to a marketing server. Programs such as Pest Control and Spy Blocker can help. Finally you need an antispam tool (e.g., SpamKiller). All of the tools just mentioned can be combined in suites (e.g., Internet Security from McAFee or Symantec). Wireless networks are more difcult to protect than wireline ones. While many of the risks of desktop Internet-based commerce will pervade m-commerce, m-commerce itself presents new risks. This topic was discussed in Chapter 6. In addition, lately there is a recognition that malicious code may penetrate wireless networks. Such a code has the ability to undermine controls such as authentication and encryption (Ghosh and Swaminatha, 2001 and Biery and Hager, 2001). For a comprehensive commercial suite to protect wireless networks, see MebiusGuard at symbal.com.
SUMMARY.
Securing Wireless Networks
It should be clear from this chapter how important it is for organizations to secure networks. What do organization actually do? What security technologies are used the most? According to CSI/FBI report (Richardson, 2003), 99 percent of all companies use anti-virus software, 92 percent use access control, 98 percent use rewalls, 91 percent use physical security, 73 percent use intusion detection, 69 percent use encrypted les, 58 percent use encrypted login, 47 percent use reusable passwards, and only 11 percent use biometrics. While some measures are commonly used, others, especially new ones such as biometrics, are not yet in regular use.
15.6
BUSINESS CONTINUITY
AND
DISASTER RECOVERY PLANNING
Disasters may occur without warning. According to Strassman (1997), the best defense is to be prepared. Therefore, an important element in any security system is the business continuity plan, also known as the disaster recovery plan. Such a plan outlines the process by which businesses should recover from a major disaster. Destruction of all (or most) of the computing facilities can cause signicant damage. Therefore, it is difcult for many organizations to obtain insurance for their computers and information systems without showing a satisfactory disaster prevention and recovery plan. It is a simple
15.6 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING
713
Total Continuity Program Management Overall project management Risk management Crisis management Industry benchmark IT Recovery Program Execution Recovery tasks Testing Other functional exercise of recovery plan & procedure
Business Continuity Program Design
FIGURE 15.6 Business continuity services managed by IBM. (Source:
IBM, Business Continuity and Recovery Services, January 2000, produced in Hong Kong. Courtesy of IBM.)
Understand business & IT requirements Evaluate current capabilities Develop continuity plan
IT Recovery Program Design Assess IT capabilities Develop recovery procedures Design solutions
concept, an advance crisis planning can help minimize losses (Gerber and Feldman, 2002). The comprehensiveness of a business recovery plan is shown in Figure 15.6.
Business Continuity Planning
Disaster recovery is the chain of events linking the business continuity plan to protection and to recovery. The following are some key thoughts about the process:
The purpose of a business continuity plan is to keep the business running after a disaster occurs. Both the ISD and line management should be involved in preparation of the plan. Each function in the business should have a valid recovery capability plan. Recovery planning is part of asset protection. Every organization should assign responsibility to management to identify and protect assets within their spheres of functional control. Planning should focus rst on recovery from a total loss of all capabilities. Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current (see Lam 2002). All critical applications must be identied and their recovery procedures addressed in the plan. The plan should be written so that it will be effective in case of disaster, not just in order to satisfy the auditors. The plan should be kept in a safe place; copies should be given to all key managers; or it should be available on the Intranet and the plan should be audited periodically.
For a methodology of how to conduct business continuity planning, see A Closer Look 15.4. Other methodologies can be found in Devargas (1999) and Rothstein (2002). Disaster recovery planning can be very complex, and it may take several months to complete (see Devargas, 1999). Using special software, the planning job can be expedited.
714
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
A CLOSER LOOK 15.4 HOW TO CONDUCT BUSINESS CONTINUITY PLANNING
T
here are many suggestions of how to conduct business continuity planning (BCP). Lam (2002) suggests an 8-step cyclical process shown in the gure below. In conducting BCP one should device a policy which is central to all steps in the process. One also must test the plan on a worst-case scenario, for each potential disaster (e.g., system failure, information hacking, terrorist attack). Disruptions are analyzed from their impact on technology, information, and people. Finally, it is important to recognize the potential pitfalls of BCP. These include:
An incomplete BCP (may not cover all aspects). An inadequate or ineffective BCP (unable to provide
Overkill BCP (usually time consuming and costly). Uncommunicated BCP (people do not know where to
nd it, or its details).
Lacking dened process (not clearly dened, chain of
needed events not clear).
Untested (may looks good on paper, but no one
knows, since it was never tested).
Uncoordinated (it is not a teams work, or the team is
not coordinated).
Out of date (it was good long ago, but what about
today?).
Lacking in recovery thinking (no one think from A to
remedy). An impractical BCP (e.g., does not have enough time and money).
Z how to do it). For details see Lam (2002).
Business recovery planning
Review recovery plan
8 Review business continuity plan 7 Test business continuity plan 6 Define business continuity process 5 Design business continuity plan
Business continuity planning
1 Initiate BCP project 2 Identify business threat 3 Conduct risk analysis Establish recovery team
Test recovery plan
Business continuity policy
Define recovery process
Design recovery plan
4 Establish business continuity plan
Business Continuity Plan
Backup Arrangements
One of the most logical way to deal with loss of data is to back it up. A business continuity plan includes backup arrangements. We all make a copy of all or important les and keep them separately. In addition to backing up data we are interested in quick recovery. Also, as part of business continuity one can backing up an entire computer or data centers. Lets look at these two arrangements.
BACKING UP DATA FILES. While everyone knows how important is to back up data les, many neglect to do so because the process is cumbersome and time consuming. Several programs make this process easier, and some restore
15.6 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING
715
data as well (e.g., Ontrack.com provide EasyRecovery and File repair, 10mega.com provides QuickSync, and Ofcerecovery.com provides for ofce recovery). For tips how to avoid data loss by backing up data les, see Spector (2002). Backup arrangements may also include the use of network attached storage (NAS) and storage area networks (NAS) (see Technology Guide 4 and Hunton, 2002).
BACKING UP COMPUTER CENTERS.
As preparation for a major disaster, such as in the 9/11 case, it is often necessary for an organization to have a backup location. External hot-site vendors provide access to a fully congured backup data center. To appreciate the usefulness of a hot-site arrangement, consider the following example: On the evening of October 17, 1989, when a major earthquake hit San Francisco, Charles Schwab and Company was ready. Within a few minutes, the companys disaster plan was activated. Programmers, engineers, and backup computer tapes of October 17 transactions were own on a chartered jet to Carlstadt, New Jersey. There, Comdisco Disaster Recovery Service provided a hot site. The next morning, the company resumed normal operations. Montgomery Securities, on the other hand, had no backup recovery arrangement. On October 18, the day after the quake, the traders had to use telephones rather than computers to execute trades. Montgomery lost revenues of $250,000 to $500,000 in one day. A less costly alternative arrangement is external cold-site vendors that provide empty ofce space with special ooring, ventilation, and wiring. In an emergency, the stricken company moves its own (or leased) computers to the site. One company that did its disaster planning right is Empire Blue Cross and Blue Shield, as explained in IT At Work 15.2. Physical computer security is an integral part of a total security system. Cray Research, a leading manufacturer of supercomputers (now a subsidiary of Silicone Graphics, Inc.), has incorporated a corporate security plan, under which the corporate computers are automatically monitored and centrally controlled. Graphic displays show both normal status and disturbances. All the controlled devices are represented as icons on oor-plan graphics. These icons can change colors (e.g., green means normal, red signies a problem). The icons can ash as well. Corrective-action messages are displayed whenever appropriate. The alarm system includes over 1,000 alarms. Operators can be alerted, even at remote locations, in less than one second. Of special interest is disaster planning for Web-based systems, as shown in an example in Online File W15.7. For some interesting methods of recovery, see the special issue of Computers and Security (2000). Finally, according to Brassil (2003) mobile computing and other innovations are changing the business continuity industry by quickly reaching a large number of people, wherever they are, and by the ability of mobile devices to help in quick restoration of service.
DISASTER AVOIDANCE.
Disaster avoidance is an approach oriented toward prevention. The idea is to minimize the chance of avoidable disasters (such as re or other human-caused threats). For example, many companies use a device called uninterrupted power supply (UPS), which provides power in case of a power outage.
716
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
IT
At Work 15.2
9/11 DISASTER RECOVERY AT EMPIRE BLUE CROSS/BLUE SHIELD
E
mpire Blue Cross and Blue Shield provides health insurance coverage for 4.7 million people in the northeastern United States. It is a regional arm of the Blue Cross/Blue Shield Association (bcbs.com). On September 11, 2001, the company occupied an entire oor of the World Trade Center (WTC). Information assets there included the e-business development center as well as the enterprise network of 250 servers and a major Webenabled call center. Unfortunately, nine employees and two consultants lost their lives in the terrorist attack. But, the companys operations were not interrupted. Lets see why. The company had built redundancy into all its applications and moved much of its business to Internet technology, for connecting workforce, clients, and partners. Forty applications are available on its corporate intranet; Webenabled call centers handle 50,000 calls each day; and Web-based applications connect the huge system of hospitals and health-care providers. Michael Galvin, chief infrastructure officer of the company, evacuated his 100 employees from the thirtieth oor and tried to contact staff at other locations to initiate the disaster recovery plan. It was well over an hour later when he was nally able to get through jammed communication lines to nd out that a quick decision made by a senior server specialist in Albany, NY, had already switched the employee proles to the Albany location. This action saved the company days of downtime and the need to rebuild the proles by hand. As employees moved to temporary ofces,
they were able to log on as if they were sitting at their desks in the WTC. The disaster recovery protocol, which is shown in the nearby gure, worked without a glitch. Calls to the customer support center in the WTC were rerouted to centers in Albany and Long Island; customers accessing the Web site experienced no interruptions; and 150 servers, 500 laptops, and 500 workstations were ordered within an hour of the attack. In off-facility sites, the main data center was not affected; the backup tapes allowed full restoration of data; the network resturctured automatically when the private enterprise network was destroyed; and, all necessary information needed at the main off-site data center was rerouted, bypassing the WTC. Besides building in the redundancy in the system, the company had also been testing different disaster scenarios frequently, making sure everything worked. As a result, the company and the technoloy were prepared to deal with the disaster. Everything was backed up, so once the servers were rebuilt, all information was available and all applications were functioning within days thanks to a 300-member IT team working around the clock. Three days after the attack, a new VPN was running enabling employees to work at home. Since that experience, Empire has made even more use of Internet technology to connect the staff that is dispersed among ve temporary ofces in Manhattan, and does more business by Internet-based videoconferencing, Webcasting, and IP-based phones.
15.7
IMPLEMENTING SECURITY: AUDITING
AND
RISK ANALYSIS
Implementing controls in an organization can be a very complicated task, particularly in large, decentralized companies where administrative controls may be difcult to enforce. Of the many issues involved in implementing controls, three are described here: auditing information systems, risk analysis, and advanced intellignet systems. Controls are established to ensure that information systems work properly. Controls can be installed in the original system, or they can be added once a system is in operation. Installing controls is necessary but not sufcient. It is also necessary to answer questions such as the following: Are controls installed as intended? Are they effective? Did any breach of security occur? If so, what actions are required to prevent reoccurrence? These questions need to be answered by independent and unbiased observers. Such observers perform the information system auditing task.
15.7 IMPLEMENTING SECURITY: AUDITING AND RISK ANALYSIS
717
Blue Cross Galvin emphasized that the most important part of this, or any disaster is the people who act within minutes to get things done without direct guidance of senior management. The new corporate headquarter was open in May 2003 in Brooklyn, NY.
Source: Compiled from Levin (2002).
For Further Exploration: Explore the usefulness of Internet technology for disaster planning. What is its advantage over older technology? Why are people the most important part when a disaster strikes?
Auding Information Systems
An audit is an important part of any control system. In an organizational setting, it is usually referred to as a periodical examination and check of nancial and accounting records and procedures. Specially trained professionals execute an audit. In the information system environment, auditing can be viewed as an additional layer of controls or safeguards. Auditing is considered as a deterrent to criminal actions (Wells, 2002), especially for insiders.
TYPES OF AUDITORS AND AUDITS.
There are two types of auditors (and audits): internal and external. An internal auditor is usually a corporate employee who is not a member of the ISD. An external auditor is a corporate outsider. This type of auditor reviews the ndings of the internal audit and the inputs, processing, and outputs of information systems. The external audit of information systems is frequently a part of the overall external auditing performed by a certied public accounting (CPA) rm.
718
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
IT auditing can be very broad, so only its essentials are presented here. Auditing looks at all potential hazards and controls in information systems. It focuses attention on topics such as new systems development, operations and maintenance, data integrity, software application, security and privacy, disaster planning and recovery, purchasing, budgets and expenditures, chargebacks, vendor management, documentation, insurance and bonding, training, cost control, and productivity. Several guidelines are available to assist auditors in their jobs. SAS No. 55 is a comprehensive guide provided by the American Institute of Certied Public Accountants. Also, guidelines are available from the Institute of Internal Auditors, Orlando, Florida. (See Frownfelter-Lohrke and Hunton, 2002 for a discussion of new directions in IT auditing.) Auditors attempt to answer questions such as these: Are there sufcient controls in the system? Which areas are not covered by controls? Which controls are not necessary? Are the controls implemented properly? Are the controls effective; that is, do they check the output of the system? Is there a clear separation of duties of employees? Are there procedures to ensure compliance with the controls? Are there procedures to ensure reporting and corrective actions in case of violations of controls? Other items that IT auditors may check include: the data security policies and plans, the business continuity plan (Von-Roessing, 2002), the availability of a strategic information plan, what the company is doing to ensure compliance with security rules, the responsibilities of IT security, the measurement of success of the organization IT security scheme, the existence of security awareness program, and the security incidents reporting system. Two types of audits are used to answer these questions. The operational audit determines whether the ISD is working properly. The compliance audit determines whether controls have been implemented properly and are adequate. In addition, auditing is geared specically to general controls and to application controls (see Sayana, 2002). For details on how auditing is executed, see Online File W15.8.
AUDITING WEB SYSTEM AND E-COMMERCE. According to Morgan and Wong (1999), auditing a Web site is a good preventive measure to manage the legal risk. Legal risk is important in any IT system, but in Web systems it is even more important due to the content of the site, which may offend people or be in violation of copyright laws or other regulations (e.g., privacy protection). Auditing EC is also more complex since in addition to the Web site one need to audit order taking, order fulllment and all support systems (see Blanco, 2002). For more about IT auditing see Woda (2002).
Risk Management and Cost-Benet Analysis
It is usually not economical to prepare protection against every possible threat. Therefore, an IT security program must provide a process for assessing threats and deciding which ones to prepare for and which ones to ignore, or provide reduced protection. Installation of control measures is based on a balance
15.7 IMPLEMENTING SECURITY: AUDITING AND RISK ANALYSIS
719
Step 1. Assessment of Assets Determine the value and importance of assets such as data, hardware, software, and networks.
Step 2. Vulnerability of Assets Record weaknesses in the current protection system in view of all potential threats.
Step 3. Loss Analysis Assess the probability of damage and specify the tangible and intangible losses that may result.
Step 4. Protection Analysis Provide a description of available controls that should be considered, their probability of successful defense, and costs.
Step 5. CostBenefit Analysis
FIGURE 15.7 The risk management process.
Compare costs and benefits. Consider the likelihood of damage occurring and the successful protection from that damage. Finally, decide on which controls to install.
between the cost of controls and the need to reduce or eliminate threats. Such analysis is basically a risk-management approach, which helps identify threats and selects cost-effective security measures (see Hiles, 2002). Major activities in the risk-management process can be applied to existing systems as well as to systems under development. These are summarized in Figure 15.7. A more detailed structure for a strategic risk management plan suggested by Doughty (2002) is provided in Online File W15.9.
RISK-MANAGEMENT ANALYSIS. Risk-management analysis can be enhanced by the use of DSS software packages. A simplied computation is shown here:
Expected loss where: P1 P2 L
P1
P2
L
probability of attack (estimate, based on judgment) probability of attack being successful (estimate, based on judgment) loss occurring if attack is successful P1 P1 P2 .02, P2 L 0.02 .10, L 0.1 $1,000,000 1,000,000 $2,000
Example: Then, expected loss from this particular attack is: The expected loss can then be compared with the cost of preventing it. The value of software programs lies not only in their ability to execute complex computations, but also in their ability to provide a structured, systematic framework for ranking both threats and controls.
720
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
HOW MUCH TO SECURE? The National Computer Security Center (NCSC) of the Department of Defense published guidelines for security levels. The government uses these guidelines in its requests for bids on jobs where vendors must meet specied levels. The seven levels are shown in Online File W15.10 at the books Web site. Vendors are required to maintain a certain security level depending on the security needs of the job. The decision of how much to secure can be treated as an insurance issue (see Kolodzinski, 2002, and Gordon et al., 2003).
IT Security in the Twenty-rst Century
Computer control and security have recently received increased attention. For example, the story of the I Love You bug captured the headlines of most newspapers, TV, and computer portals in May 2000, and other wide-scale viruses since then have received similar media play. Almost 97 percent of the worlds major corporations battled computer viruses in 2002. Several important IT-security trends are discussed in this section.
INCREASING THE RELIABILITY OF SYSTEMS. The objective relating to reliability is to use fault tolerance to keep the information systems working, even if some parts fail. Compaq Computer and other PC manufacturers provide a feature that stores data on more than one disk drive at the same time; if one disk fails or is attacked, the data are still available. Several brands of PCs include a built-in battery that is automatically activated in case of power failure. Some systems today have 10,000 to 20,000 components, each of which can go million hours without failure, but a combined system may go only 100 hours until it fails. With future systems of 100,000 components, the mathematical odds are that systems will fail every few minutesclearly, an unacceptable situation. Therefore, it is necessary to improve system reliability. SELF-HEALING COMPUTERS.
As computing systems become more complex, they require higher amounts of human intervention to keep operating. Since the level of complexity is accelerating (e.g., see Grid Computing in Chapter 2), there is an increasing need for self-healing computers. Ideally, recovery can be done instantly if computers can nd their problems and correct them themselves, before a system crashes. According to Van (2003), IBM is engaged in a project known as automatic computing, which aims at making computers more self-sufcient and less fragile. The basic idea is borrowed from the human body and its immune system. IBMs rst known self-healing computer is called eLiza; it is attached to a huge supercomputer, called Blue Sky, at the National Center for Atmospheric Research in the United States. For further discussion see Pescovitz (2002).
INTELLIGENT SYSTEMS FOR EARLY INTRUSION DETECTION. Detecting intrusion in its beginning is extremely important, especially for classied information and nancial data. Expert systems and neural networks are used for this purpose. For example, intrusion-detecting systems are especially suitable for local area networks and client/server architectures. This approach compares users activities on a workstation network against historical proles and analyzes the signicance of any discrepancies. The purpose is to detect security violations. The intrusion-detecting approach is used by several government agencies (e.g., Department of Energy and the U.S. Navy) and large corporations (e.g.,
15.7 IMPLEMENTING SECURITY: AUDITING AND RISK ANALYSIS
721
Citicorp, Rockwell International, and Tracor). It detects other things as well, for example, compliance with security procedures. People tend to ignore security measures (20,00040,000 violations were reported each month in a large aerospace company in California). The system detects such violations so that improvements can be made.
INTELLIGENT SYSTEMS IN AUDITING AND FRAUD DETECTION.
Intelligent systems are used to enhance the task of IS auditing. For example, expert systems evaluate controls and analyze basic computer systems while neural networks and data mining are used to detect fraud (e.g., see Sheridan, 2002).
ARTIFICIAL INTELLIGENCE IN BIOMETRICS. Expert systems, neural computing, voice recognition, and fuzzy logic can be used to enhance the capabilities of several biometric systems. For example, Fuijitsu of Japan developed a computer mouse that can identify users by the veins of their palms, detecting unauthorized users. EXPERT SYSTEMS FOR DIAGNOSIS, PROGNOSIS, AND DISASTER PLANNING.
Expert systems can be used to diagnose troubles in computer systems and to suggest solutions. The user provides the expert systems with answers to questions about symptoms. The expert system uses its knowledge base to diagnose the source(s) of the trouble. Once a proper diagnosis is made, the computer provides a restoration suggestion. For example, Exec Express (e-exec.co.uk) sells intranet-based business recovery planning expert systems that are part of a bigger program called Self-Assessment. The program is used to evaluate a corporations environment for security, procedures, and other risk factors.
SMART CARDS. Smart card technology can be used to protect PCs on LANs. An example is Excel MAR 10 (from MacroArt Technology, Singapore), which offers six safety levels: identication of authorized user, execution of predetermined programs, authentication, encryption of programs and les, encryption of communication, and generation of historical les. This product can also be integrated with a ngerprint facility. The users smart card is authenticated by the system, using signatures identied with a secret key and the encryption algorithm. Smart cards containing embedded microchips can generate unique passwords (used only once) that conrm a persons identity. FIGHTING HACKERS. Several products are available for ghting hackers. Secure Networks (snc-net.com) developed a product that is essentially a honeynet, a decoy network within network. The idea is to lure the hackers into the decoy to nd what tools they use and detect them as early as possible. ETHICAL ISSUES.
Implementing security programs raises many ethical issues (see Azari, 2003). First, some people are against any monitoring of individual activities. Imposing certain controls is seen by some as a violation of freedom of speech or other civil rights. Reda (2002) cited a Gartner Group study that showed that even after the terrorist attacks of 9/11/2001, only 26 percent of Americans approved a national ID database. Using biometrics is considered by many a violation of privacy. Finally, using automated traceback programs, described earlier, may be unethical in some cases or even illegal (Lee and Shields, 2002).
722
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
MANAGERIAL ISSUES
1. To whom should the IS department report? This issue is related to the degree of IS decentralization and to the role of the CIO. Having the IS department reporting to a functional area may introduce biases in providing IT priorities to that functional area, which may not be justiable. Having the IS report to the CEO is very desirable. 2. Who needs a CIO? This is a critical question that is related to the role of the CIO as a senior executive in the organization. Giving a title without authority can damage the ISD and its operation. Asking the IS director to assume a CIOs responsibility, but not giving the authority and title, can be just as damaging. Any organization that is heavily dependent on IT should have a CIO. 3. End users are friends, not enemies, of the IS department. The relationship between end users and the ISD can be very delicate. In the past, many ISDs were known to be insensitive to end-user needs. This created a strong desire for end-user independence, which can be both expensive and ineffective. Successful companies develop a climate of cooperation and friendship between the two parties. 4. Ethical issues. The reporting relationship of the ISD can result in some unethical behavior. For example, if the ISD reports to the nance department, the nance department will have access to information about individuals or other departments that could be misused. 5. Responsibilities for security should be assigned in all areas. The more organizations use the Internet, extranets, and intranets, the greater are the security issues. It is important to make sure that employees know who is responsible and accountable for what information and that they understand the need for security control. The vast majority of information resources is in the hands of end users. Therefore, functional managers must understand and practice IT security management and other proper asset management tasks. 6. Security awareness programs are important for any organization, especially if it is heavily dependent on IT. Such programs should be corporatewide and supported by senior executives. In addition, monitoring security measures and ensuring compliance with administrative controls are essential to the success of any security plan. For many people, following administrative controls means additional work, which they prefer not to do. 7. Auditing information systems should be institutionalized into the organizational culture. Organizations should audit IS not because the insurance company may ask for it, but because it can save considerable amounts of money. On the other hand, overauditing is not cost-effective. 8. Multinational corporations. Organizing the ISD in a multinational corporation is a complex issue. Some organizations prefer a complete decentralization, having an ISD in each country or even several ISDs in one country. Others keep a minimum of centralized staff. Some companies prefer a highly centralized structure. Legal issues, government constraints, and the size of the IS staff are some factors that determine the degree of decentralization.
CHAPTER HIGHLIGHTS
723
ON THE WEB SITE Additional resources, including quizzes; online les of additional text, tables, gures, and cases; and frequently updated Web links to current articles and information can be found on the books Web site (wiley.com/college/turban).
KEY TERMS
Application controls Attack traceback Audit Authorization Biometric control Business continuity plan Chief information ofcer (CIO) Cracker Cybercrime Cyberwar Data integrity Data tampering Denial of service (DoS) Distributed denial of service (DDoS) Disaster avoidance Disaster recovery Encryption Exposure Fault tolerance Firewall General controls Hacker Honeynets Honeypots Identity theft Information center (IC) Informations resources management (IRM) IT governance Programming attack Risk management Self-healing computers Service-level agreement (SLA) Social engineering Steering committee Stealthware Virus Vulnerability Zombies
CHAPTER HIGHLIGHTS (Numbers Refer to Learning Objectives)
Information resources scattered throughout the organization are vulnerable to attacks, and therefore are difcult to manage.
The responsibility for IRM is divided between the ISD
and end users. They must work together.
Steering committees, information centers, and
service-level agreements can reduce conicts between the ISD and end users.
ISD reporting locations can vary, but a preferred location is to report directly to senior management.
The chief information ofcer (CIO) is a corporate-level
position demonstrating the importance and changing role of IT in organizations.
Data, software, hardware, and networks can be threatened by many internal and external hazards.
The attack to an information system can be caused either accidentally or intentionally.
There are many potential computer crimes; some resemble conventional crimes (embezzlement, vandalism, fraud, theft, trespassing, and joyriding).
Computer criminals are driven by economic, ideological, egocentric, or psychological factors. Most of the
criminals are insiders, but outsiders (such as hackers, crackers, and spies) can cause major damage as well. A virus is a computer program hidden within a regular program that instructs the regular program to change or destroy data and/or programs. Viruses spread very quickly along networks worldwide. Information systems are protected with controls such as security procedures, physical guards, or detecting software. These are used for prevention, deterrence, detection, recovery, and correction of information systems. General controls include physical security, access controls, data security controls, communications (network) controls, and administrative controls. Biometric controls are used to identify users by checking physical characteristics of the user (e.g., ngerprints and retinal prints). Application controls are usually built into the software. They protect the data during input, processing, or output. Encrypting information is a useful method for protecting transmitted data. The Internet is not protected; therefore anything that comes from the Internet can be hazardous.
724
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
Firewalls protect intranets and internal systems from
hackers, but not from viruses.
It is extremely difcult and expensive to protect
against all possible threats to IT systems. Therefore, it is necessary to use cost-benet analysis to decide how many and which controls to adopt.
Access control, authentication, and authorization are
in the backbone of network security.
Disaster recovery planning is an integral part of effective control and security management.
A detailed internal and external IT audit may involve
hundreds of issues and can be supported by both software and checklists.
Business continuity planning includes backup of data
and computers and a plan for what to do when disaster strikes.
QUESTIONS FOR REVIEW
1. What are possible reporting locations for the ISD? 2. Why has the ISD historically reported to nance or accounting departments? 3. List the mechanisms for ISDend users cooperation. 4. Summarize the new role of the CIO. 5. List Rockarts eight imperatives. 6. What is a steering committee? 7. Dene SLAs and discuss the roles they play. 8. What are the services to end users that are usually provided by an information (help) center? 9. Dene controls, threats, vulnerability, and backup. 10. What is a computer crime? 11. List the four major categories of computer crimes. 12. What is a cybercrime? 13. What is the difference between hackers and crackers? 14. Explain a virus and a Trojan horse. 15. Explain a corporatewide security system. 16. Dene controls. 17. Describe prevention, deterrence, detection, recovery, and correction. 18. Dene biometrics; list ve of them. 19. Distinguish between general controls and application controls. 20. What is the difference between authorized and authenticated users? 21. Explain DOS and how to defend against it. 22. How you protect against viruses? 23. Dene rewall. What is it used for? 24. Explain encryption. 25. Dene a business continuity plan. 26. Dene and describe a disaster recovery plan. 27. What are hot and cold recover sites? 28. Describe auditing of information systems. 29. List and briey describe the steps involved in risk analysis of controls.
QUESTIONS FOR DISCUSSION
1. What is a desirable location for the ISD to report to, and why? 2. What information resources are usually controlled by the ISD, and why? 3. Discuss the new role of the CIO and the implications of this role to management. 4. Why should information control and security be a prime concern to management? 5. Compare the computer security situation with that of insuring a house. 6. Explain what rewalls protect and what they do not protect. Why? 7. Why is the purpose of biometrics? Why they are popular? 8. Describe how IS auditing works and how it is related to traditional accounting and nancial auditing. 9. Why are authentication and authorization important in e-commerce? 10. Some insurance companies will not insure a business unless the rm has a computer disaster recovery plan. Explain why. 11. Explain why risk management should involve the following elements: threats, exposure associated with each threat, risk of each threat occurring, cost of controls, and assessment of their effectiveness. 12. Some people have recently suggested using viruses and similar programs in wars between countries. What is the logic of such a proposal? How could it be implemented?
GROUP ASSIGNMENTS
725
13. How important is it for a CIO to have an extensive knowledge of the business? 14. Why is it necessary to use SLAs with vendors? What are some of the potential problems in such situations? 15. Compare TQM to a corporatewide security plan. What is similar? What is different?
16. Why do intelligent systems play an increasing role in securing IT? 17. Why is cross-border cybercrime expanding rapidly? Discuss some possible solutions. 18. Discuss the relationships between grid computing and self-healing computers.
EXERCISES
1. Examine Online File W15.4. Read some new material on the CIO and add any new roles you nd in your reading. Which of the roles in the table seem to have gained importance and which seem to have lost importance? 2. Assume that the daily probability of a major earthquake in Los Angeles is .07%. The chance of your computer center being damaged during such a quake is 5%. If the center is damaged, the average estimated damage will be $1.6 million. a. Calculate the expected loss (in dollars). b. An insurance agent is willing to insure your facility for an annual fee of $15,000. Analyze the offer, and discuss it. 3. The theft of laptop computers at conventions, hotels, and airports is becoming a major problem. These categories of protection exist: physical devices (e.g., targus.com), encryption (e.g., networkassociates.com), and security policies (e.g., at ebay.com). Find more information on the problem and on the solutions. Summarize the advantages and limitations of each method. 4. Expert systems can be used to analyze the proles of computer users. Such analysis may enable better intrusion detection. Should an employer notify employees that their usage of computers is being monitored by an expert system? Why or why not? 5. Ms. M. Hsieh worked as a customer support representative for the Wollongong Group, a small software company (Palo Alto, California). She was red in late 1987. In early 1988, Wollongong discovered that someone was logging onto its computers at night via a modem and had altered and copied les. During investigation, the police traced the calls to Ms. Hsiehs home and found copies there of proprietary information valued at several million dollars. It is interesting to note that Ms. Hsiehs access code was canceled the day she was terminated. However, the company suspects that Ms. Hsieh obtained the access code of another employee. (Source: Based on BusinessWeek, August 1, 1988, p. 67.) a. How was the crime committed? Why were the controls ineffective? (State any relevant assumptions.) b. What can Wollongong, or any company, do in order to prevent similar incidents in the future? 6. Guarding against a distributed denial of service attack is not simple. Examine the major tools and approaches available. Start by downloading software from nipc.gov. Also visit cert.org, sans.org, and ciac.llnl.gov. Write a report summarizing your ndings. 7. Twenty-ve thousand messages arrive at an organization each year. Currently there are no rewalls. On the average there are 1.2 successful hackings each year. Each successful hacking results in loss to the company of about $130,000. A major rewall is proposed at a cost of $66,000 and a maintenance cost of $5,000. The estimated useful life is 3 years. The chance that an intruder will break through the rewall is 0.0002. In such a case, the damage will be $100,000 (30%) or $200,000 (50%), or no damage. There is annual maintenance cost of $20,000 for the rewall. a. Should management buy the rewall? b. An improved rewall that is 99.9988 percent effective costs $84,000, with a life of 3 years and annual maintenance cost of $16,000, is available. Should this one be purchased instead of the rst one? 8. In spring 2000 the U.S. government developed an internal intrusion detection network ( dnet.gov) to protect itself from hackers. The Center for Democracy and Technology (cdt.org) objected, claiming invasion of privacy. Research the status of the project (FIDNet) and discuss the claims of the center.
GROUP ASSIGNMENTS
1. With the class divided into groups, have each group visit an IS department. Then present the following in class: an organizational chart of the department; a discussion on the departments CIO (director) and her or his reporting status; information on a steering committee (composition, duties); information on any SLAs the department has; and a report on the extent of IT decentralization in the company.
726
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
2. Each group is to be divided into two parts. The rst part will interview students and business people and record the experiences they have had with computer security problems. The second part of each group will visit a computer store (and/or read the literature or use the Internet) to nd out what software is available to ght different computer security problems. Then, each group will prepare a presentation in which they describe the problems and identify which of the problems could have been prevented with the use of commercially available software.
3. Create groups to investigate the latest development in IT and e-commerce security. Check journals such as CIO.com (available free online), vendors, and search engines such as techdata.com. and google.com. 4. Research the Melissa attack in 1999. Explain how the virus works and what damage it causes. Examine Microsofts attempts to prevent similar future attacks. Investigate similarities between the 2003 viruses (Slammer, Bugbear, etc.) and earlier ones (e.g., I Love You and Melissa). What preventive methods are offered by security vendors?
INTERNET EXERCISES
1. Explore some job-searching Web sites (such as brassring.com, and headhunter.com), and identify job openings for CIOs. Examine the job requirements and the salary range. Also visit google.com and cio.com, and nd some information regarding CIOs, their roles, salaries, and so forth. Report your ndings. Enter scambusters.org. Find out what the organization does. Learn about e-mail scams and Web site scams. Report your ndings. Access the site of comdisco.com. Locate and describe the latest disaster recovery services. Enter epic.org/privacy/tools.html, and examine the following groups of tools: Web encryption, disk encryption, and PC rewalls. Explain how these tools can be used to facilitate the security of your PC. Access the Web sites of the major antivirus vendors (symantec.com, mcafee.com, and antivirus.com). Find out what the vendors research centers are doing. Also download VirusScan from McAfee and scan your hard drive with it. Many newsgroups are related to computer security (groups,google.com; alt.comp.virus; comp.virus; maous.comp. virus). Access any of these sites to nd information on the most recently discovered viruses. Check the status of biometric controls. See the demo at sensar.com. Check what Microsoft is doing with biometric controls. 8. Enter v:l.nai.com/vil/default.asp. Find information about viruses. What tips does McAfee (mcafee b2b.com) give for avoiding or minimizing the impact of viruses? 9. You have installed a DSL line in your home. You read in this chapter that you need a personal rewall. Enter securitydogs.com, macafee.com, or symantec.com. Find three possible products. Which one dp you like best? Why? 10. Access a good search engine (e.g., google.com or ndart icles.com). Find recent articles on disaster planning. Prepare a short report on recent developments in disaster recovery planning. 11. The use of smart cards for electronic storage of user identication, user authentication, changing passwords, and so forth is on the rise. Surf the Internet and report on recent developments. (For example, try the Web sites microsoft.com/windows/smartcards, litronic.com, gemplus.com, or scia.org.) 12. Access the Web site 2600.com and read the 2600 Magazine. Also try waregone.com and skynamic.com. Prepare a report that shows how easy it is to hack successfully. 13. Enter ncsa.com and nd information about why hackers do the things they do. Write a report. 14. Enter biopay.com and other vendors of biometries and nd the devices they make that can be used to access control into information systems. Prepare a list of major capabilities.
2.
3. 4.
5.
6.
7.
MINICASE 1
727
Minicase 1
Putting IT to Work at Home Depot
Home Depot is the worlds largest home-improvement retail, a global company that is expanding rapidly (about 200 new stores every year). With over 1,500 stores (mostly in the United States and Canada, and now expanding to other countries) and about 50,000 kinds of products in each store, the company is heavily dependent on IT, especially since it started to sell online. To align its business and IT operations, Home Depot created a business and information service model, known as the Special Projects Support Team (SPST). This team collaborates both with the ISD and business colleagues on new projects, addressing a wide range of strategic and tactical needs. These projects typically occur at the intersection of business processes. The team is composed of highly skilled employees. Actually, there are several teams, each with a director and a mix of employees, depending on the project. For example, system developers, system administrators, security experts, and project managers can be on a team. The teams exist until the completion of a project; then they are dissolved and the members are assigned to new teams. All teams report to the SPST director, who reports to a VP of Technology. To ensure collaboration among end-users, the ISD and the SPST created structured (formal) relationships. The basic idea is to combine organizational structure and process ow which is designed to do the following:
Achieve consensus across departmental boundaries Accommodate the highest possible levels of opera-
tional stability.
Leverage the extensive code base, and leverage func-
tion and component reuse.
Leverage Home Depots extensive infrastructure and
IS resource base. Online File W15.11 shows how this kind of organization works for Home Depots e-commerce activities. There is a special EC steering committee which is connected to the CIO (who is a senior VP), to the VP for marketing and advertising, and to the VP for merchandising (merchandising deals with procurement). The SPST is closely tied to the ISD, to marketing, and to merchandising. The data center is shared with non-EC activities. The SPST migrated to an e-commerce team in August 2000 in order to construct a Web site supporting a national catalog of products, which was completed in April 2001. (This catalog contains over 400,000 products from 11,000 vendors.) This project required the collaboration of virtually every department in Home Depot. (e.g., see nance/ accounting, legal, loss prevention, etc., in the gure). Also contracted services were involved. (The gure in Online File W15.11 shows the workow process.) Since 2001, SPST has been continually busy with EC initiatives, including improving the growing Home Depot online store. The cross-departmental nature of the SPST explains why it is an ideal structure to support the dynamic, ever-changing work of the EC-related projects. The structure also considers the skills, strengths, and weaknesses of the IT employees. The company offers both online and ofine training aimed at improving those skills. Home Depot is consistently ranked among the best places to work for IT employees.
Sources: Compiled from Alberts (2001) and from homedepot.com (2003).
with regard to strategic initiatives. Prioritize strategic initiatives. Bridge the gap between business concept and detailed specications. Result in the lowest possible operational costs. Achieve consistently high acceptance levels by the end-user community. Comply with evolving legal guidelines. Dene key nancial elements (cost-benet analysis, ROI, etc.). Identify and render key feedback points for project metrics. Support very high rates of change. Support the creation of multiple, simultaneous threads of work across disparate time lines. Promote known, predictable, and manageable workow events, event sequences, and change management processes.
Questions for Minicase 1
1. Read Chapter 9 (Sections 9.9 and 9.10) regarding teambased organizations. Explain why the team-based structure at Home Depot is so successful. 2. The structure means that the SPST reports to both marketing and technology. This is known as a matrix structure. What are the potential advantages and problems? 3. How is collaboration facilitated by IT in this case? 4. Why is the process ow important in this case?
728
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
Minicase 2
Managing Security
The Internet Security Alliance (isalliance.org) was formed in April 2001. The alliance is a collaborative endeavor of Carnegie Mellon Universitys Software Engineering Institute (SEI); its CERT Coordination Center (CEDRT/CC); the Electronics Industries Alliance (EIA), a federation of trade groups; and other private and pubic member organizations and corporatins. Their goal is to provide information sharing and leadership on information security and to represent its members and regulators. On September 9, 2002, the alliance released results from a recent security survey conducted jointly with the National Association of Manufactures (NAM) and RedSiren Technologies Inc. (Durkovich, 2002). The survey asked 227 information security specialists worldwide to compare their current attitudes towards information security with their attitudes prior to the 9/11 terrorist attacks. Overall, the results showed that the security specialists view information security as more of an issue now and that they see it as crucial to the survival of their organization or business. However, most answered that they still feel inadequately prepared to meet their current security challenges, and just as importantly, that most lacked senior management commitment to address these challenges. The following are some of the specic survey ndings:
91 percent recognize the importance of information
2.
3.
4.
5.
6.
security.
Most of the organizations reported at least one attack
in the past year, with approximately 30 percent reporting more than six attacks. 48 percent said that the 9/11 attacks made them more concerned about information security, while 48 percent said there had been no change in their attitudes. 47 percent said that their organization had increased spending on information security since the attacks. 40 percent said that they had improved their physical security, electronic security, network security, and security policies since the attacks. 30 percent indicated that their companies are still inadequately prepared to deal with security attacks.
7.
The Internet Security Alliance has identied 10 of the highest priority and most frequently recommended practices necessary for implementation of a successful security process. The parctices encompass policy, process, people, and technology. They include (IS Alliance, 2002): 1. General management. Information security is a normal part of everyones responsibilities managers and
8.
employees alike. Managers must ensure that there are adequate resources, that security policies are well dened, and that the policies are reviewed regularly. Policy. Security policies must address key areas such as security risk management, identication of of critical assets, physical security, network security, authentication, vulnerability and incident management, privacy, and the like. Policies need to be embedded in standard procedures, practices, training, and architectures. Risk management. The impacts of various risks need to be identied and quantied. A management plan needs to be developed to mitigate those risks with the greatest impact. The plan needs to be reviewed on a regular basis. Security architecture and design. An enterprised-wide security architecture is required to protect critical information assets. High-risk areas (e.g., power supplies) should employ diverse and redundant solutions. User issues. The user community includes general employees, IT staff, partners, suppliers, vendors, and other parties who have access to critical information systems. System and network management. The key lines of defense include access control for all network devices and data, encrypted communications and VPNs where required, and perimeter protection (e.g., firewalls) based on security policies. Any software, files, and directories on the network should be veried on a regular basis. Procedures and mechanisms must be put in place that ensure that software patches are applied to correct existing problems; adequate levels of system logging are deployed; systems changes are analyzed from a security perspective; and vulnerability accessments are performed on a periodic basis. Software and data must also be backed up on a regular schedule. Authentication and authorization. Strict policies must be formulated and implemented for authenticating and authorizing network access. Special attention must be given to those employees accessing the network from home and on the road and to partners, contractors, and services who are accessing the network remotely. Monitor and audit. Security-breaching events and changing conditions must be monitored, and the network must be inspected on a regular basis. Standards should be in place for responding to suspicious or unusual behavior.
VIRTUAL COMPANY ASSIGNMENT
729
9. Physical security. Physical access to key information assets, IT services, and resources should be controlled by two-factor authentication. 10. Continuity planning and disaster recovery. Business continuity and recovery plans need to be implemented and periodically tested to ensure that they are effective.
Sources: Compiled from Durkovich (2002) and ISAlliance (2002).
Questions for Minicase 2
1. Why does the Internet Security Alliance include both private and public members? 2. What is the mission of the Alliance? 3. Why is it benecial to prioritize issues? 4. How would you justify the existence of the Alliance? Who should pay its costs?
Virtual Company Assignment
REFERENCES
Adams, S., Effective SLAs Dene Partnership Roles, Communications News, June 2000, comnews.com (accessed August 2003). Agarwal R., and V. Sambamurthy, Principles and Models for organizing the IT function, MIS Querterly Executive, March 2002. Alberts, B., Home Depots Special Projects Support Team Powers Information Management for Business Needs, Journal of Organization Excellence, Winter 2001. Alga, N., Increasing Security Levels, Information Systems Control Journal, MarchApril 2002. Austin R.D., and C. A. R. Darby, The Myth of Secure Computing, Harvard Business Review, June 2003. Atlas, R. I., and S. A. Young, Planting and Shaping Security Success, Security Management, August 2002. Azari, R. (ed.), Current Security Managemnt and Ethical Issues of Information, Hershey PA: IRM Press, 2003. Ball, L. D., CIO on Center Stage: 9/11 Changes Everything, Information Systems Management, Spring 2002. Becker, D., Equal Rights for CIOs, CNET News.Com, June 16, 2003. Biery K., and D. Hager, The Risks of Mobile Communication, Security Management, December 2001. Biermann E., et al., A Comparison of Intrusion Detection Systems, Computers and Security, Vol. 20, 2001. Brassil, R. A., The Changing realities of Recovery: How Onsite and Mobile Options have Revolutionalize the Business Continuity Industry, Information Systems Control Journal, March/April 2003. Blanco L., Audit Trail in an E-Commerce Environment, Information Systems Control Journal, SeptemberOctober 2002. Bruno L., Out, Out Damned Hacker! Red Herring, January 2002. Bugbear Worm Steals Credit Card and Password Details, Information Management and Computer Security, June 2003. Cauleld, B., The Trouble with Biometrics, Business 2.0, September 2002. Cilli, C., IT Governance: Why a Guideline? Information Systems Control Journal, MayJune 2003. Computers and Security, special issue, Vol. 19, No. 1, 2000. Davidson P., 29 Nations Team Up Vs. Cross-border Scams, USA. Today, (International issue), June 17, 2003. Davis, J. L., Using Authentication to Help Prevent Online Fraud, Direct Marketing, October 2001. Damle, P., Social Engineering: A Tip of the Iceberg, Information Systems Control Journal, MarchApril 2002. Devargas, M., Survival Is Not Compulsory: An Introduction to Business Continuity Planning, Computers and Security, Vol. 18, No. 1, 1999. Diao Y., et al., Using Fuzzy Control to Mazimize Prots in Service Level Agreement, IBM Systems Journal, XYZ, 2002. Doll, M. W., et al., Defending the Digital Frontier. New York: Wiley, 2003. Doughty, K., Business Continuity: A Business Survival Strategy, Information Systems Control Journal, JanuaryFebruary, 2002. Doughty, K.,Implementing Enterprise Security, Information Systems Control Journal, MayJune 2003. Duffy, D., Chief Executives Who Get IT, CIO Magazine, July 15, 1999. Durkovich, C., et al. Global Computer Security SurveyResults Analysis, September 9, 2002. redsiren,com/survey.html (accessed July 18, 2003). Earl, M. J., Blue Survivors (the CIOs), CIO Magazine, December 15, 1999January 1, 2000. Fadia, A., Network Security: A Hackers Perspective. Boston, MA: Premier Press, 2002. FrownfelterLohrke, C., and J. E. Hunton, New Opportunities for Information Systems Auditors, Information Systems Control Journal, MayJune, 2002. Garnkel, S., Web Security, Privacy and Commerce. Sebastopal, CA: OReilly and Associates, 2002. Gerber, J. A., and E. R. Feldman, Is Your Business Prepared for The Worst, Journal of Accountancy, April 2002.
730
CHAPTER 15
MANAGING INFORMATION RESOURCES AND SECURITY
Ghosh, A. K., and T. M. Swaminatha, Software Security and Privacy Risks in Mobile E-Commerce, Communications of the ACM, February 2001. Granger, S., Social Engineering Fundamentals. Part I: Hacker Tactics. December 18, 2001, online.securityfocus.com (accessed July 20, 2003). Hiles, A., Enterprise Risk Assessment and Business Impact Analysis. Rothstein Assoc., 2002. Hinde, S., The Law, Cybercrime, Risk Assessment and Cyber Protection, Computers and Security, February 2003. Hunton, J. E., Back Up Your Data to Survive a Disaster, Journal of Accountancy, April 2002. ISAlliance. Common Sense Guide for Senior Managers. Internet Security Alliance, July 2002, www.isalliance.org (accessed July 15, 2003). Jain, A., et al., Biometric Identication, Communications of the ACM, February 2000. Jain, A., et al. (eds.), Biometrics: Personal Identication in Networked Security. NewYork: Kluwer, 1999. Jiang, J. J., et al., Measuring Information Systems Service Quality, MIS Quarterly, June 2002. Karagiannis, K., DDoS: Are You Next? PC Magazine, January 1, 2003, pcmag.com/article2/0,4149,768385,00.asp (accessed August 2003). Kesner, R. M., Running Information Services as a Business: Managing IS Commitments within the Enterprise, Information Strategy: The Executive Journal, Summer 2002. Kolodzinski, O., Aligning Information Security Imperatives with Business Needs, The CPA Journal, July 2002, luca.com/cpajournal/ 2002/0702/nv/nv10.htm (accessed August 2003). Lam, W., Ensuring Business Continuity, IT Pro, June 2002. Lee, S. C., and C. Shields, Technical Legal and Societal Challenges to Automated Attack Traceback. IT Pro, May/June 2002. Leidner, D. E., et al., How CIOs Manage IT During Economic Decline: Surviving and Thriving Amid Uncertainty, MIS Quarterly Executive, March 2003. Levin, C., The Insurance Plan that Came to the Rescue, PC Magazine, January 29, 2002. Los Angeles Times, April 24, 1998. Loundy, D. L., Computer Crime, Information Warefare and Economic Espionage. Durham, N.C: Carolina Academic Press, 2003. Luhn, R., and S. Spanbauer, Protect Your PC, PC World, July 2002. Lux, A. G., and S. Fitiani, Fighting Internal Crime Before It Happens, Information Systems Control Journal, MayJune, 2002. McConnell, M., Information Assurance in the Twenty-rst Century, Supplement to Computer, February, 2002. McKinley, E. VPN Provides Rent-A-Center with a Multitude of Positive Changes, Stores, May 2003. Mitnick, K., and W. Simon, The Art of Deception. New York: Wiley, 2002. Mitre, CVE List Exceeds 5,000 Security Issues. September 9, 2002, cve.mitre.org/news/. (Accessed July 20, 2003.) Morgan, J. P., and N. A. Wong, Conduct a Legal Web Audit, e-Business Advisor, September 1999. Nance, B., Keep Networks Safe from Viruses, Byte, November 1996, p. 171. Updated June 2003, OHarrow, R., Financial Database to Screen Accounts, Washington Post, May 30, 2002.
Pantry, S., and P. Grifths, A Complete Guide for Preparing and Implementing Service Level Agreements, 2nd Ed. London: Library Association Publishing, 2002. Pescovitz, D., Helping Computers Help Themselves, IEEE Spectrum, September, 2002. Piazza, P., Honeynet Attracts Hacker Attack, Security Management, November 2001. Pooley, J., Blocking Information Passes, Security Management, July 2002. Prometheum Technologies, How Does a Virtual Private Network (VPN) Work? April 2003, prometheum.com/m_vpn.htm (accessed August 2003). Reda, S., Brave New World of Biometrics, Stores, May 2002. Richardson, R., 2003 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Insitute (gocsi.com), 2003. Robinson, C., The Role of a Chief Security Ofcer, CIO Asia, April 2003 (cio-asia.com). Rockart, J. F., et al., Eight Imperatives for the New IS Organization, Sloan Management Review, Fall 1996. Ross, J. W., et al., Develop Long-Term Competitiveness Through IT Assets, Sloan Management Review, Fall 1996. Ross, J. W., and D. F. Feeny, The Evolving Role of the CIO, in R. Zmud (ed.), Framing the Domain of IT Management. Cincinnati, OH: Pinnaex Educational Resources, 2000. Rothstein, P. J., Develop a Disaster Recovery/Business Continuity Plan. Brookeld, CT: Rothstein Assoc., 2002. Sambamurthy, V., et al., Managing in the Digital Era, in G. Dickson and G. DeSanctis, Information Technology and the Future Enterprise. Upper Saddle River, NJ: Prentice-Hall, 2001. sans.org. The Twenty Most Critical Internet Security Vulnerabilities, SANS Institute, sans.org/top20 (accessed April 2003). Sayana, S.A., Auditing General and Application Controls, Information Systems Control Journal, September/October 2002. Scalet, S. D., Immune Systems, CIO Magazine, June 1, 2003. Seddon, P. B., et al., Measuring Organizational IS Effectivness, Data Base, Spring 2002. Shand, D., Service Level Agreements, Computerworld, January 22, 2001. Sheridan, R. M., Working the Data Mines, Security Management, April 2002. Sitonis, J. G., and B. Goldberg, Changing Role of the CIO, InformationWeek, March 24, 1997. Sivasailam, N., et al., What Companies Are(nt) Doing about Web Site Assurance, IT Pro, May/June 2002. Smith, R., Authentication: From Password to Public Keys. Boston: Addison Wesley, 2002. South China Morning Post, news item Hong Kong, May 21, 1999. Spector, L., How to Avoid Data Disaster, PC World, June 2002. Stasiak, K., Web Application Security, Information Systems Control Journal, November/December, 2002. Statonline, Technology Facts and Links, statonline.com/technologies/ facts.asp (accessed August 2003). Strassman, P., What Is the Best Defense? Being Prepared, ComputerWorld, March 31, 1997. Sullivan A., U.S. Arrests 135 in Nationwide Cybercrime Sweep, Yahoo!News, provided by Reuters, May 16, 2003. Talleur, T., Can Your Organization Survive a Cybercrime? e-Business Advisor, September 2001.
REFERENCES
731
Van, J., Self Healing Computers Seen as Better Fix, Chicago Tribune, January 2, 2003. Verton, E., and J. Brownlow. Black Ice: The Invisible Threat of Cyberterrorism. New York: McGraw Hill, 2003. Von-Roessing, R., Auditing Business Continuity: Global Best Practices. Brookeld, CT: Rothstein Assoc., 2002. Walsh, N. P., Stolen Details of 6 Million Phone Users Hawked on Moscow Streets, The Guardian, January 27, 2003. Wells, J. T., Occupational Fraud: The Audit as a Deterrent, Journal of Accountancy, April 2002. White, G. B., Protecting the Real Corporate Networks, Computer Security Journal, Vol. 1, No. 4, 1999. Whitemone, J. J., A Method for Designing Secure Solutions, IBM Systems Journal, Vol. 40, #3, 2001.
Wiederkehr, B., IT Securiy Awareness Programme,Information Systems Control Journal, MayJune 2003. Willcocks, L. P. and R. Sykes, The Role of the CIO and IT Function in ERP, Communications. of the ACM, April 2000. Williams, D., Are You IT-Dependent? CA Magazine, August, 2002. Woda, A., The Role of the Auditor in IT Governance, Information Systems Control Journal, vol. 2, 2002. Zenkin, D., Guidelines for Protecting the Corporate against Viruses, Computers and Security, August 2001. Zetter, K., and S. Miastkowski, Viruses: The Next Generation, PC World, December 2000.
Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more.
Course Hero has millions of course specific materials providing students with the best way to expand
their education.
Below is a small sample set of documents:
Below is a small sample set of documents:
HKU - ECONOMICS - 4313
Chapter 8 Index ModelsMultiple Choice Questions 1. As diversification increases, the total variance of a portfolio approaches _. A) 0 B) 1 C) the variance of the market portfolio D) infinity E) none of the above Answer: C Difficulty: Easy Rationale:
HKU - ECONOMICS - 4313
Chapter 9 The Capital Asset Pricing ModelMultiple Choice Questions 1. In the context of the Capital Asset Pricing Model (CAPM) the relevant measure of risk is A) unique risk. B) beta. C) standard deviation of returns. D) variance of returns. E) none
HKU - ECONOMICS - 4313
Chapter 10 Arbitrage Pricing Theory and Multifactor Models of Risk and ReturnMultiple Choice Questions 1. _ a relationship between expected return and risk. A) APT stipulates B) CAPM stipulates C) Both CAPM and APT stipulate D) Neither CAPM nor APT
HKU - ECONOMICS - 4313
Multiple Choice Questions 1. Conventional theories presume that investors _ and behavioral finance presumes that they _. A) are irrational; are irrational B) are rational; may not be rational C) are rational; are rational D) may not be rational; may
HKU - ECONOMICS - 4313
Chapter 14 Bond Prices and YieldsMultiple Choice Questions 1. The current yield on a bond is equal to _. A) annual interest divided by the current market price B) the yield to maturity C) annual interest divided by the par value D) the internal rate
HKU - ECONOMICS - 4313
Multiple Choice Questions 1. The duration of a bond is a function of the bond's A) coupon rate. B) yield to maturity. C) time to maturity. D) all of the above. E) none of the above. Answer: D Difficulty: Easy Rationale: Duration is calculated by disc
HKU - ECONOMICS - 4313
Chapter 17 Macroeconomic and Industry AnalysisMultiple Choice Questions 1. A top down analysis of a firm starts with _. A) the relative value of the firm B) the absolute value of the firm C) the domestic economy D) the global economy E) the industry
HKU - ECONOMICS - 4313
Multiple Choice Questions 1. _ is equal to the total market value of the firm's common stock divided by (the replacement cost of the firm's assets less liabilities). A) Book value per share B) Liquidation value per share C) Market value per share D)
HKU - ECONOMICS - 4313
Multiple Choice Questions 1. A firm has a higher quick (or acid test) ratio than the industry average, which implies. A) the firm has a higher P/E ratio than other firms in the industry. B) the firm is more likely to avoid insolvency in short run tha
HKU - ECONOMICS - 4313
Multiple Choice Questions 1. Trading activity by mutual funds just prior to quarterly reporting dates is known as A) insider trading. B) program trading. C) passive security selection. D) window dressing. E) none of the above. Answer: D Difficulty: M
HKU - ECONOMICS - 4313
Multiple Choice Questions 1. Shares of several foreign firms are traded in the U.S. markets in the form of A) ADRs B) ECUs C) single-country funds D) all of the above E) none of the above Answer: A Difficulty: Easy Rationale: American Depository Rece
HKU - ECONOMICS - 4313
Chapter 13 Empirical Evidence on Security ReturnsMultiple Choice Questions 1. The expected return/beta relationship is used _. A) by regulatory commissions in determining the costs of capital for regulated firms B) in court rulings to determine disc
HKU - ECONOMICS - 4313
Chapter 15 The Term Structure of Interest RatesMultiple Choice Questions 1. The term structure of interest rates is: A) The relationship between the rates of interest on all securities. B) The relationship between the interest rate on a security and
HKU - ECONOMICS - 4313
Chapter 20 Options Markets: IntroductionMultiple Choice Questions 1. The price that the buyer of the option pays to acquire the option is called the A) strike price. B) exercise price. C) execution price. D) acquisition price. E) premium. Answer: E
HKU - ECONOMICS - 4313
Chapter 21 Option ValuationMultiple Choice Questions 1. Before expiration, the time value of an in the money stock option is always A) equal to zero. B) positive. C) negative. D) equal to the stock price minus the exercise price. E) none of the abov
HKU - ECONOMICS - 4313
Chapter 22 Futures MarketsMultiple Choice Questions 1. A futures contract A) is an agreement to buy or sell a specified amount of an asset at the spot price on the expiration date of the contract. B) is an agreement to buy or sell a specified amount
HKU - ECONOMICS - 4313
Chapter 23 Futures and Swaps: A Closer LookMultiple Choice Questions 1. Which one of the following stock index futures has a multiplier of 250? A) Russell 2000 B) S&P 500 Index C) Nikkei D) DAX-30 E) NASDAQ 100 Answer: B Difficulty: Easy Rationale:
HKU - ECONOMICS - 4313
Econ435 Financial Markets and the Macroeconomy Fall 2005 Final ExamThe exam consists of 60 multiple choice questions and one essay question. Please answer ALL of them. The duration of the exam is 2 hrs. DO NOT OPEN the exams until you are told to
HKU - ECONOMICS - 4313
Lecture 1Static (or SimultaneousMove) Games of Complete InformationIntroduction to Games Normal (or Strategic) Form Representation No Man Is An Island9/2/2008 EF4484 Game Theory-Lecture 1 1Outline of Static Games of Complete InformationIntrodu
HKU - ECONOMICS - 4313
EF4484_Game Theory_Lecture 3Static (or SimultaneousMove) Games of Complete InformationCournot models of duopoly and oligopoly Concave Function and Maximization Bertrand model Public GoodsOutline of Static Games of Complete Information Introduct
HKU - ECONOMICS - 4313
EF4484_Game Theory-Lecture 49/22/08Static (or SimultaneousMove) Games of Complete InformationMixed Strategy EquilibriumOutline of Static Games of Complete Information Introduction to games (chapter 1) Normal-form (or strategic-form)represe
HKU - ECONOMICS - 4313
EF4484-Game Theory-Lecture 610/22/2008Outline of dynamic games of complete informationDynamic Games of Complete InformationExtensive-Form Representation Game Tree Dynamic games of complete information Extensive-form representation Dynamic
HKU - ECONOMICS - 4313
EF4484-Game Theory-Lecture 811/5/08Outline of dynamic games of complete informationDynamic Games of Complete InformationDynamic Games of Complete and Perfect InformationDynamic games of complete information Extensive-form representation Dyna
HKU - ECONOMICS - 4313
EF4484-Game Theory-Lecture 710/29/2008Outline of dynamic games of complete informationDynamic Games of Complete InformationExtensive-Form Representation Game TreeDynamic games of complete information Extensive-form representation Dynamic gam
HKU - ECONOMICS - 4313
EF4484-Game Theory-Lecture 9November 12, 2008Trust Game: Your DataBargaining GamesNovember 12, 2008EF4484-Game Theory-Lecture 91November 12, 2008EF4484-Game Theory-Lecture 92Value Creation and Division Many contracts that people
HKU - ECONOMICS - 4313
EF4484 - Game Theory - Lecture 1011/26/08Repeated gameRepeated gameIn all of these dynamic situations, the way in which a party behaves at any given time is influenced by what this party and others did in the past.In other words, players cond
HKU - ECONOMICS - 4313
EF4484 Economic Strategy and Game Theory Semester A, 2008 Homework #4 Due: 9:15AM, Wednesday 11-19-08 1. (30 points) Please consider the following ultimatum bargaining game. Players negotiate over the price of a painting that a player 1 can sell to p
HKU - ECONOMICS - 4313
EF4484 Economic Strategy and Game Theory Semester A, 2008 Homework #2 Due: 9:15AM, Wednesday 10-8-081. Consider the following payoff matrix for a modified version of Battle of the Sexes. Woman Fights BalletFights Man Ballet2, 00, 30, 21,
HKU - ECONOMICS - 4313
EF4484 Economic Strategy and Game Theory Semester A, 2008 Prof. Steven Tucker Homework Assignment 1 Maximum possible points = 100 1a. (20 points) Consider the following game with the following payouts. As usual, more is considered to be better than l
HKU - ECONOMICS - 4313
Management of Financial InstitutionsInstructor: Dr. QU Baozhi TA: Miss CHEN Jiao Phone: (852) 27887312 Email: baozhiqu@cityu.edu.hk Office: ACAD-P7407 Office Hours: Monday 9:30-11:20 AM Wednesday 9:30-11:20 AM 1-1SyllabusxPosted on the Blackboa
HKU - ECONOMICS - 4313
The Financial Services Industry and Risks of Financial InstitutionsInstructor: Dr. QU Baozhi Phone: (852) 27887312 Email: baozhiqu@cityu.edu.hk Office: ACAD-P74072-1Todays Topicsx x x xSecurities Firms and Investment Banks (Ch. 4) Mutual Funds
HKU - ECONOMICS - 4313
Interest Rate RiskInstructor: Dr. QU Baozhi Phone: (852) 27887312 Email: baozhiqu@cityu.edu.hk Office: ACAD-P74073-1OverviewxThis lecture discusses the interest rate risk associated with financial intermediation: Interest rate determination
HKU - ECONOMICS - 4313
Market Risk and VAR (Value-atRisk) ModelsInstructor: Dr. QU Baozhi Phone: (852) 27887312 Email: baozhiqu@cityu.edu.hk Office: ACAD-P74074-1Market RiskxThis section discusses the nature of market risk and appropriate measures Dollar exposure
HKU - ECONOMICS - 4313
Hedging with Futures and ForwardsInstructor: Dr. QU Baozhi Phone: (852) 27887312 Email: baozhiqu@cityu.edu.hk Office: P740710-1OverviewxDerivative securities have become increasingly important as FIs seek methods to hedge risk exposures. The g
HKU - ECONOMICS - 4313
Swaps and Risk ManagementInstructor: Dr. QU Baozhi Phone: (852) 27887312 Email: baozhiqu@cityu.edu.hk Office: P740711-1OverviewThe market for swaps has grown enormously and this has raised serious regulatory concerns regarding credit risk exposu
HKU - ECONOMICS - 4313
Course ReviewInstructor: Dr. QU Baozhi Phone: (852) 27887312 Email: baozhiqu@cityu.edu.hk Office: P740712-1Assessment Schemex xFinal examination (three hour) Coursework60% 40% Case Study (10%) Written assignments & quiz (20%) Contributio
HKU - ECONOMICS - 4313
Instructions for the Case Study (EF4330)Read the case Whatever happened at Barings? The lure of derivatives and collapse and write a report addressing (but not constrained to) the following questions: 1.2. 3. 4.What is Nick Leesons legitimate bu
HKU - ECONOMICS - 4313
End of Chapter 10 Questions 1. What is meant by market risk?Market risk is the uncertainty of the effects of changes in economy-wide systematic factors that affect earnings and stock prices of different firms in a similar manner. Some of these mark
HKU - ECONOMICS - 4313
End-of-Chapter 11 Question 1. Why is credit risk analysis an important component of bank risk management? What recent activities by FIs have made the task of credit risk assessment more difficult for both bank managers and regulators?Credit risk ma
HKU - ECONOMICS - 4313
End of Chapter Question Ch 191. What is a contagious run? What are some of the potentially serious adverse social welfare effects of a contagious run? Do all types of FIs face the same risk of contagious runs?A contagious run is an unjustified pan
HKU - ECONOMICS - 4313
End-of Chapter 9 Questions 1. What are the two different general interpretations of the concept of duration, and what is the technical definition of this term? How does duration differ from maturity?Duration measures the average life of an asset or
HKU - ECONOMICS - 4313
CITY UNIVERSITY OF HONG KONGCourse code & title : Session Time allowed : :EF4330 Management of Financial Institutions Semester A Three hoursThis paper has 7 pages (including this cover page).1. 2. 3.This paper consists of 35 questions in 3
HKU - ECONOMICS - 4313
E305 Final Exam - Fall 2005Instructions: Complete the following exam to the best of your ability. Mark all your answers on the provided answer sheet. No credit is given for answers not on the sheet. You are to turn the exam in by your regularly sch
HKU - ECONOMICS - 4313
56.Which of the following statements does not reflect credit decisions at the retail level? A) Retail customers are more likely to be rationed by interest rate differences than loan quantity restrictions. B) Most loan decisions at the retail level te
HKU - ECONOMICS - 4313
85. How would regulators characterize this FI based on the leverage ratio zones of FDICIA? A) well capitalized. B) undercapitalized. C) severely undercapitalized. D) overcapitalized. E) insolvent. Answer: B86. If problem loans reduce the market val
HKU - ECONOMICS - 4313
University of Pennsylvania The Wharton SchoolFNCE 100 PROBLEM SET #6 Fall Term 2005 A. Craig MacKinlayCapital Structure 1. The XYZ Co. is assessing its current capital structure and its implications for the welfare of its security holders. XYZ cur
HKU - ECONOMICS - 4313
CHAPTER 13 CORPORATE FINANCING DECISIONS AND EFFICIENT CAPITAL MARKETSAnswers to Concepts Review and Critical Thinking Questions 1. To create value, firms should accept financing proposals with positive net present values. Firms can create valuable finan
HKU - ECONOMICS - 4313
EF4313 Corporate Finance I Problem Set 2 Student Name and No.: Yeung Kai Fung, 50716538 11. A firm has $100 million in cash on hand and a debt obligation of $100 million due in the next period. With this cash, it can take on one of two projects A or
HKU - ECONOMICS - 4313
University of Pennsylvania The Wharton SchoolFNCE 100 PROBLEM SET #5 Fall Term 2005 A. Craig MacKinlayMarket Efficiency 1. Money manager Robert J. Betaman of Betaman-Rubin Associates has shown an uncanny ability to beat the market (i.e., to earn c
HKU - ECONOMICS - 4313
EF4313 Corporate Finance I Semester A 2008 2009 Problem Set 1 Problem Set 1 1. May Burke, the financial manager of Leverage Unlimited, thinks she can increase shareholder value by increasing the leverage of the company. The company is currently all
HKU - ECONOMICS - 4313
Finance 100 Problem Set Capital Structure1. Halever, Inc. is nanced half by debt and half by equity. You have the following data: rE =? E = 1.5 rf = 10% Please ll in the blanks. 2. The chairman of Slack decides that the company should increase the
HKU - ECONOMICS - 4313
Finance 100 Problem Set Capital Structure (Alternative Solutions)Note: Where appropriate, the nal answer for each problem is given in bold italics for those not interested in the discussion of the solution. I. Formulas This section contains the for
HKU - ECONOMICS - 4313
Fuqua Business School Duke University FIN 350 Global Financial ManagementPractice Questions (Leverage)1. These practice questions are a suplement to the problem sets, and are intended for those of you who want more practice. They are Optional, and
HKU - ECONOMICS - 4313
Fuqua Business School Duke University FIN 350 Global Financial ManagementSolutions to Practice Questions (Leverage)1. These practice questions are a suplement to the problem sets, and are intended for those of you who want more practice. They are
HKU - ECONOMICS - 4313
HKU - ECONOMICS - 4313
City University of Hong Kong Semester A 2008-2009 EF3450 Principles of Econometrics Instructor: Dr. YAN, Kit-Ming Isabel Office: P7421 Tel: 2788-7315 e-mail: efyan@cityu.edu.hk Office hours: Tue 1:00-2:30p.m. Wed 1:00-3:30p.m. or by appointment. Cour
HKU - ECONOMICS - 4313
City University of Hong Kong Semester A 2008-2009 EF3450 Principles of Econometrics Instructor: Office: Tel: e-mail: Dr. YAN, Kit-Ming Isabel P7421 2788-7315 efyan@cityu.edu.hk Office hours: Tue 1:00-2:30p.m. Wed 1:00-3:30p.m.Tutorial sessions: TB1
UCSD - CSE - CSE 12
<?xml version="1.0" encoding="UTF-8"?> <Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>577c6e5332536249603c0b3008f60e140c643c99.docx</Key><RequestId> 239918BDCB8CB486</RequestId><HostId>gpU1LiB3BxH0XWa+UXrPAJADIYsoAYD
UC Davis - CHE - 8B
HKU - ECONOMICS - 4313
City University of Hong Kong EF3450 Principles of Econometrics Semester A 2005-2006 Midterm Examination (Total score: 70) Full Name: _ Student ID: _ Tutorial Time: _Paper ADo not take away the questions, hand them back together with your answers
HKU - ECONOMICS - 4313
EF3450 SECTION IAn overview of the classical linear regression modelPrinciples of Econometrics1Some Notation Denote the dependent variable by y and the independent variable(s) by x1, x2, . , xk where there are k independent variables. Some a