Q1  What Is the Goal of Information Systems Security?   393

            Phishing compromises legitimate   Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email.
            brands and trademarks. See the   The phisher pretends to be a legitimate company and sends an email requesting confidential data,
            Guide (pages 420–421) for more.  such as account numbers, Social Security numbers, account passwords, and so forth.

                                           Spoofing is another term for someone pretending to be someone else. If you pretend to be
                                       your professor, you are spoofing your professor. IP spoofing occurs when an intruder uses another
                                       site’s IP address to masquerade as that other site. Email spoofing is a synonym for phishing.
                                           Sniffing is a technique for intercepting computer communications. With wired networks,
                                       sniffing requires a physical connection to the network. With wireless networks, no such connec-
                                       tion is required: Wardrivers simply take computers with wireless connections through an area
                                       and search for unprotected wireless networks. They can monitor and intercept traffic on un-
                                       secured wireless networks. Even protected wireless networks are vulnerable, as you will learn.
                                       Spyware and adware are two other sniffing techniques discussed later in this chapter.
                                           Other forms of computer crime include hacking, which is breaking into computers, serv-
                                       ers, or networks to steal data such as customer lists, product inventory data, employee data, and
                                       other proprietary and confidential data.
                                           Finally, people might inadvertently disclose data during recovery from a natural disaster.
                                       During a recovery, everyone is so focused on restoring system capability that they might ignore
                                       normal security safeguards. A request such as “I need a copy of the customer database backup”
                                       will receive far less scrutiny during disaster recovery than at other times.

                                       Incorrect Data Modification

                                       The second type of security loss in Figure 10-3 is incorrect data modification. Examples include
                                       incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary,
                                       earned days of vacation, or annual bonus. Other examples include placing incorrect informa-
                                       tion, such as incorrect price changes, on a company’s Web site or company portal.
                                           Incorrect data modification can occur through human error when employees follow proce-
                                       dures incorrectly or when procedures have been designed incorrectly. For proper internal con-
                                       trol on systems that process financial data or control inventories of assets, such as products and
                                       equipment, companies should ensure separation of duties and authorities and have multiple
                                       checks and balances in place.
                                           A final type of incorrect data modification caused by human error includes system errors.
                                       An example is the lost-update problem discussed in Chapter 5 (page 178).
                                           Computer criminals can make unauthorized data modifications by hacking into a com-
                                       puter system. For example, hackers could hack into a system and transfer people’s account bal-
                                       ances or place orders to ship goods to unauthorized locations and customers.
                                           Finally, faulty recovery actions after a disaster can result in incorrect data changes. The
                                       faulty actions can be unintentional or malicious.

                                       Faulty Service

                                       The third type of security loss, faulty service, includes problems that result because of incorrect
                                       system operation. Faulty service could include incorrect data modification, as just described. It
                                       also could include systems that work incorrectly by sending the wrong goods to a customer or
                                       the ordered goods to the wrong customer, inaccurately billing customers, or sending the wrong
                                       information to employees. Humans can inadvertently cause faulty service by making proce-
                                       dural mistakes. System developers can write programs incorrectly or make errors during the
                                       installation of hardware, software programs, and data.
                                           Usurpation occurs when computer criminals invade a computer system and replace
                                       legitimate programs with their own, unauthorized ones that shut down legitimate applica-
                                       tions and substitute their own processing to spy, steal and manipulate data, or achieve other
                                       purposes. Faulty service can also result when service is improperly restored during recovery
                                       from natural disasters.