Page 426 - Using MIS
P. 426
394 Chapter 10 Information Systems Security
Denial of Service
Human error in following procedures or a lack of procedures can result in denial of service
(DoS), the fourth type of loss. For example, humans can inadvertently shut down a Web server
or corporate gateway router by starting a computationally intensive application. An OLAP appli-
cation that uses the operational DBMS can consume so many DBMS resources that order-entry
transactions cannot get through.
Computer criminals can launch an intentional denial-of-service attack in which a mali-
cious hacker floods a Web server, for example, with millions of bogus service requests that so oc-
cupy the server that it cannot service legitimate requests. Also, computer worms can infiltrate a
network with so much artificial traffic that legitimate traffic cannot get through. Finally, natural
disasters may cause systems to fail, resulting in denial of service.
Loss of Infrastructure
Many times, human accidents cause loss of infrastructure, the last loss type. Examples are a bull-
dozer cutting a conduit of fiber-optic cables and a floor buffer crashing into a rack of Web servers.
Theft and terrorist events also cause loss of infrastructure. For instance, a disgruntled, ter-
minated employee might walk off with corporate data servers, routers, or other crucial equip-
ment. Terrorist events also can cause the loss of physical plants and equipment.
Natural disasters present the largest risk for infrastructure loss. A fire, flood, earthquake, or
similar event can destroy data centers and all they contain.
You may be wondering why Figure 10-3 does not include terms such as viruses, worms, and
Trojan horses. The answer is that viruses, worms, and Trojan horses are techniques for causing
some of the problems in the figure. They can cause a denial-of-service attack, or they can be
used to cause malicious, unauthorized data access or data loss.
Finally, a new threat term has come into recent use. An Advanced Persistent Threat (APT)
is a sophisticated, possibly long-running computer hack that is perpetrated by large, well-
funded organizations such as governments. APTs can be a means to engage in cyberwarfare and
cyber-espionage. Examples of APT are Stuxnet and Flame. Stuxnet is reputed to have been used
to set back the Iranian nuclear program by causing Iranian centrifuges to malfunction. Flame is
a large, complex computer program that is reputed to have hacked into computers and is said
to operate as a cyberspy, capturing screen images, email, and text messages and even searching
nearby smartphones using Bluetooth communication. Search the Internet for these terms to
learn more. If you work in the military or for intelligence agencies, you will certainly be con-
cerned, if not involved, with APTs. We return to this topic in Q9.
Goal of Information Systems Security
As shown in Figure 10-1, threats can be stopped, or if not stopped, the costs of loss can be re-
duced by creating appropriate safeguards. Safeguards are, however, expensive to create and
maintain. They also reduce work efficiency by making common tasks more difficult, adding
additional labor expense. The goal of information security is to find an appropriate trade-off
between the risk of loss and the cost of implementing safeguards.
Business professionals need to consider that trade-off carefully. In your personal life, you
should certainly employ antivirus software. You should probably implement other safeguards
that you’ll learn about in Q3. Some safeguards, such as deleting browser cookies, will make us-
ing your computer more difficult. Are such safeguards worth it? You need to assess the risks and
benefits for yourself.
Similar comments pertain to organizations, though they need to go about it more system-
atically. The bottom line is not to let the future unfold without careful analysis and action as in-
dicated by that analysis. Get in front of the security problem by making the appropriate trade-off
for your life and your business.
