With the opening of information systems to the global Internet and with their thorough infusion into the operation and management of business and government organisations and into the infrastructure of daily life across the world, information security issues have moved to the forefront of concerns about global well-being.
Information systems security is responsible for the integrity and safety of system resources and activities. Most organisations in developed countries are dependent on the secure operation of their information systems. In fact, the very fabric of societies often depends on this security. Multiple infrastructural grids—including power, water supply, and health care—rely on it. Information systems are at the heart of intensive care units and air traffic control systems. Financial institutions could not survive a total failure of their information systems for longer than a day or two. Electronic funds transfer systems (EFTS) handle immense amounts of money that exist only as electronic signals sent over the networks or as spots on storage disks. Information systems are vulnerable to a number of threats and require strict controls, such as continuing countermeasures and regular audits to ensure that the system remains secure.
Although instances of computer crime and abuse receive extensive media attention, human error is estimated to cause greater losses in information systems operation. Disasters such as earthquakes, floods, and fires are the particular concern of disaster recovery planning, which is a part of a corporate business continuity plan. A contingency scheme is also necessary to cover the failure of servers, telecommunications networks, or software.
Computer crime and abuse
Computer crime—illegal acts in which computers are the primary tool—costs the world economy many billions of dollars annually. Computer abuse does not rise to the level of crime, yet it involves unethical use of a computer. The objectives of the so-called hacking of information systems include vandalism, theft of consumer information, governmental and commercial espionage, sabotage, and cyberwar. Some of the more widespread means of computer crime include phishing and planting of malware, such as computer viruses and worms, Trojan horses, and logic bombs.
Phishing involves obtaining a legitimate user’s login and other information by subterfuge via messages fraudulently claiming to originate with a legitimate entity, such as a bank or government office. A successful phishing raid to obtain a user’s information may be followed by identity theft, an impersonation of the user to gain access to the user’s resources.
Computer viruses are a particularly common form of attack. These are program instructions that are able not only to perform malicious acts but also to insert copies of themselves into other programs and thus spread to other computer systems. Similar to viruses, worms are complete computer programs that replicate and propagate through telecommunications networks. Because of their ability to spread rapidly and widely, viruses and worms can inflict immense damage. The damage can be in the form of tampering with system operation, theft of large volumes of data (e.g., credit card numbers), known as data breach, or denial of service by overloading systems with a barrage of spurious requests.
In a Trojan horse attack, the malefactor conceals unauthorized instructions within an authorized program. A logic bomb consists of hidden instructions, often introduced with the Trojan horse technique, that stay dormant until a specific event occurs, at which time the instructions are activated. In one well-known case, in 1985 a programmer at an insurance company in Fort Worth, Texas, placed a logic bomb in his company’s human resources system; when he was fired and his name was deleted from the company’s employee database, the entire database was erased.
Once a system connected to the Internet is invaded, it may be used to take over many others and organize them into so-called botnets that can launch massive attacks against other systems to steal information or sabotage their operation. There is a growing concern that, in the “Internet of things,” computer-controlled devices such as refrigerators or TV sets may be deployed in botnets. The variety of devices makes them difficult to control against malware.
Information systems controls
To ensure secure and efficient operation of information systems, an organisation institutes a set of procedures and technological measures called controls. Information systems are safeguarded through a combination of general and application controls.
General controls apply to information system activities throughout an organisation. The most important general controls are the measures that control access to computer systems and the information stored there or transmitted over telecommunications networks. General controls include administrative measures that restrict employees’ access to only those processes directly relevant to their duties. As a result, these controls limit the damage that any individual employee or employee impersonator can do. Fault-tolerant computer systems installed in critical environments, such as in hospital information systems or securities marketplaces, are designed to control and isolate problems so that the system can continue to function. Backup systems, often in remote locations, may be activated in the case of failure of the primary information system.
Application controls are specific to a given application and include such measures as validating input data, logging the accesses to the system, regularly archiving copies of various databases, and ensuring that information is disseminated only to authorized users.
Controlling access to information systems became profoundly more difficult with the spread of wide area networks (WANs) and, in particular, the Internet. Users, as well as interlopers, may access systems from any unattended computer within an organisation or from virtually anywhere over the Internet. As a security measure, each legitimate user has a unique name and a regularly changed password. Another security measure is to require some form of physical authentication, such as an object (a physical token or a smart card) or a personal characteristic (fingerprint, retinal pattern, hand geometry, or signature). Many systems combine these types of measures—such as automatic teller machines, which rely on a combination of a personal identification number (PIN) and an identification card. Security measures placed between an organisation’s internal networks and the Internet are known as firewalls. These combinations of hardware and software continually filter the incoming, and often outgoing, data traffic.
A different way to prohibit access to information is via data encryption, which has gained particular importance in electronic commerce. Public key encryption is used widely in such commerce. To ensure confidentiality, only the intended addressee has the private key needed to decrypt messages that have been encrypted with the addressee’s public key. Furthermore, authentication of both parties in an electronic transaction is possible through the digital certificates issued to both parties by a trusted third party and the use of digital signatures—an additional code attached to the message to verify its origin. A type of antitampering code can also be attached to a message to detect corruption. Similar means are available to ensure that parties to an electronic transaction cannot later repudiate their participation. Some messages require additional attributes. For example, a payment in electronic cash is a type of message, with encryption used to ensure the purchaser’s anonymity, that acts like physical cash.
To continually monitor information systems, intrusion detection systems are used. They detect anomalous events and log the information necessary to produce reports and to establish the source and the nature of the possible intrusion. More active systems also attempt to prevent the intrusion upon detection in real time.
Information systems audit
The effectiveness of an information system’s controls is evaluated through an information systems audit. An audit aims to establish whether information systems are safeguarding corporate assets, maintaining the integrity of stored and communicated data, supporting corporate objectives effectively, and operating efficiently. It is a part of a more general financial audit that verifies an organisation’s accounting records and financial statements. Information systems are designed so that every financial transaction can be traced. In other words, an audit trail must exist that can establish where each transaction originated and how it was processed. Aside from financial audits, operational audits are used to evaluate the effectiveness and efficiency of information systems operations, and technological audits verify that information technologies are appropriately chosen, configured, and implemented.