Page 425 - Using MIS
P. 425
Q1 What Is the Goal of Information Systems Security? 393
Phishing compromises legitimate Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email.
brands and trademarks. See the The phisher pretends to be a legitimate company and sends an email requesting confidential data,
Guide (pages 420–421) for more. such as account numbers, Social Security numbers, account passwords, and so forth.
Spoofing is another term for someone pretending to be someone else. If you pretend to be
your professor, you are spoofing your professor. IP spoofing occurs when an intruder uses another
site’s IP address to masquerade as that other site. Email spoofing is a synonym for phishing.
Sniffing is a technique for intercepting computer communications. With wired networks,
sniffing requires a physical connection to the network. With wireless networks, no such connec-
tion is required: Wardrivers simply take computers with wireless connections through an area
and search for unprotected wireless networks. They can monitor and intercept traffic on un-
secured wireless networks. Even protected wireless networks are vulnerable, as you will learn.
Spyware and adware are two other sniffing techniques discussed later in this chapter.
Other forms of computer crime include hacking, which is breaking into computers, serv-
ers, or networks to steal data such as customer lists, product inventory data, employee data, and
other proprietary and confidential data.
Finally, people might inadvertently disclose data during recovery from a natural disaster.
During a recovery, everyone is so focused on restoring system capability that they might ignore
normal security safeguards. A request such as “I need a copy of the customer database backup”
will receive far less scrutiny during disaster recovery than at other times.
Incorrect Data Modification
The second type of security loss in Figure 10-3 is incorrect data modification. Examples include
incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary,
earned days of vacation, or annual bonus. Other examples include placing incorrect informa-
tion, such as incorrect price changes, on a company’s Web site or company portal.
Incorrect data modification can occur through human error when employees follow proce-
dures incorrectly or when procedures have been designed incorrectly. For proper internal con-
trol on systems that process financial data or control inventories of assets, such as products and
equipment, companies should ensure separation of duties and authorities and have multiple
checks and balances in place.
A final type of incorrect data modification caused by human error includes system errors.
An example is the lost-update problem discussed in Chapter 5 (page 178).
Computer criminals can make unauthorized data modifications by hacking into a com-
puter system. For example, hackers could hack into a system and transfer people’s account bal-
ances or place orders to ship goods to unauthorized locations and customers.
Finally, faulty recovery actions after a disaster can result in incorrect data changes. The
faulty actions can be unintentional or malicious.
Faulty Service
The third type of security loss, faulty service, includes problems that result because of incorrect
system operation. Faulty service could include incorrect data modification, as just described. It
also could include systems that work incorrectly by sending the wrong goods to a customer or
the ordered goods to the wrong customer, inaccurately billing customers, or sending the wrong
information to employees. Humans can inadvertently cause faulty service by making proce-
dural mistakes. System developers can write programs incorrectly or make errors during the
installation of hardware, software programs, and data.
Usurpation occurs when computer criminals invade a computer system and replace
legitimate programs with their own, unauthorized ones that shut down legitimate applica-
tions and substitute their own processing to spy, steal and manipulate data, or achieve other
purposes. Faulty service can also result when service is improperly restored during recovery
from natural disasters.