Term Paper on "Management Information Systems Security"

Term Paper 12 pages (3422 words) Sources: 6

[EXCERPT] . . . .

A different study conducted by Price Waterhouse Coopers (PWC) suggests that in the year ended 2013, the number of breaches reduced but the overall cost of these breaches increased.

In this modern era where majority of the information generated is stored on computers, there exist several threats to the security of information. These threats come in different forms and their impact varies depending on this. The common threats to the computer system include physical theft of the hardware, software attacks using worms and viruses, identity theft, sabotage, theft of information and equipment. In one way or another, more than 50% of people the world over have seen software attacks of some form Krausz, 2010()

Some of the common examples of software attacks are viruses, phishing attacks, worms, and Trojan horses. Theft of intellectual property, including physical theft of media containing information such as servers, flash drives, external hard drives, and others is also an extensive issue in the information security field Krausz, 2010.

Theft of intellectual property occurs in 23% of large and small organizations.

Theft of software or pirating of software is also a big issue for software companies. These companies produce software that constitutes their intellectual property and is often heavily guarded. Theft of hardware and equipment is also becoming prevalent in today's world due to most devices being mobile and easy to steal such as laptops, notebooks, mobile phones, tablets, etc. Cell phones and tablets are the most prone to theft since they are the most desirable pieces of equipment and they have increased data capacity. It is estimated that close to 1 million cell phones and tablets are stolen every year Kouns & Kouns, 2011.

This exposes companies and individuals to huge loss of data and their information security is compromised.

Corporations also collect a large amount of data about their employees, products, customers, and competitors' products and financial status. This data is often stored electronically and transmitted from one computer to another via the Internet. This information is sometimes confidential and can fall into the hands of a hacker or competitor leading to damage to the overall company reputation or huge financial loss Kouns & Kouns, 2011.

It is therefore, essential for companies to protect their confidential information and even when transmitted, it should be done securely.

Another important threat to Information Security is also sabotage. Sabotage happens when an organization's website or other information is altered in an attempt to get customers to lose confidence in the company Honan, 2010()

Countermeasures to threats to security measures

The best ware to counter security threats is to think of them as two levels -- host and application threats. Host threats include viruses, Trojan horses, worms, footprints, profiling, hacking, denial of service (DDOS) attacks, unauthorized access, and arbitrary execution of code. Application threats are those that occur when running or using applications and include unauthorized access to confidential information, manipulation of parameters, cross-site scripting, buffer overflows, and DDOS attacks Bs, 2008()

Viruses, worms, and Trojan horses

These three treats pose a significant threat to the organization's data since they bring inherent vulnerabilities in applications that spread the threats further. Countermeasures for these three threats include installing operating system updates and software patches, blocking unnecessary firewall and host ports, hardening weak default configurations in the system, and disabling unused functionalities Tkacheva et al., 2013()

Footprints

Foot printing includes ping sweeps, port scanning, and enumeration of NetBIOS. Attackers use foot printing to steal valuable system-level information to prepare themselves for larger attacks. Countermeasures to foot printing include disabling unused or unnecessary protocols and ports, locking down ports with the right firewall configuration, using TCP/IP filters for in depth defense, configuring IIS to prevent information disclosure and using an IDS to pick up any foot printing patterns and reject traffic that is suspicious Ransbotham & Mitra, 2009()

Password hacking

When a system is locked down to prevent anonymous connections, hackers attempt to use authenticated connections. This means the attacker must attempt to find a valid combination of username and password. The first and most direct way to avoid password hacking is avoiding use of default usernames such as admin, administrator, and user. Secondly, the company should enforce minimum password strength rules to ensure passwords are strong. Lockout policies should also be applied to end-user accounts to limit retries on password guesses. These lockout policies should also log these failed login attempts to take appropriate corrective action Kumar, Park, & Subramaniam, 2008()

Denial of service attacks

DDOS attacks are aimed at the organization infrastructure. It is a brute force attack that is aimed at identifying the vulnerabilities in the system. Countermeasures include configuring application services and firewalls to prevent brute force attacks. Secondly, it is essential to stay up-to-date with security patches and updates. The company should also review the failover functionality of the organization regularly to detect potential DDOS attacks and take corrective action immediately Hui, Hui, & Yue, 2012()

Arbitrary execution of code

This occurs when an attacker executes malicious code on the organization's server. The attacker compromises the resources of the server. Arbitrary code execution can be prevented by configuring the operating system to prevent path traversal. Second is to ensure the servers are up-to-date with security patches and fixes to discover buffer overflows speedily Guo, Yuan, Archer, & Connelly, 2011()

Unauthorized access

While most web systems have access control, it is important to ensure these controls are updated regularly to restrict access to information or perform other restricted operations. Common vulnerabilities in the organization's system may include lack of appropriate permissions. It is, therefore, important for the organization to configure secure web permissions for each user to prevent unauthorized access D'Arcy, Hovav, & Galletta, 2009()

Input validation

Input validation is an application side control where the attacker must ensure the type, format, length, and range of input data are appropriately specified to prevent compromise to the application. When these application inputs are secured, it becomes harder for attackers to use public interfaces since they cannot inject code into the organization's applications. In input validation, it is important to seal buffer overflow vulnerabilities that can lead to DDOS attacks D'Arcy & Hovav, 2009.

It is important for the organization to limit the use of unmanaged APIs and ensuring validation of APIs appropriately. Thorough input validation is essential to prevent code injection.

Effectiveness and efficiency of countermeasures

No single countermeasure is 100% efficient in the current information technology environment. It is, therefore, essential for each company or organization to use a combination of countermeasures to optimize their security procedures and protocols. It is also essential for a company to track its security protocols and procedures regularly. This calls for the organization to establish a framework to links its strategic goals to the tactical execution of their security protocol through measuring performance. Regularly testing the system to measure the effectiveness of security policies and procedures is essential in strengthening the security program.

The company should develop a performance plan to regularly evaluate the effectiveness of the security system based on defined performance indicators. This means the plan should provide detailed procedures of conducting reviews of security controls, management processes, and other applications. Secondly, the organization should establish acceptable performance levels for particular systems and facilities and incorporate them into the security controls. Thirdly, the organization should perform random reviews on the efficiency and effectiveness of its security protocols. These random reviews will help to test the system and take corrective action proactively.

The company should also oversee that they comply with security standards and approved programs using a combination of tests, interviews, record reviews, and inspections. This will help them to measure performance against these standards to make sure they are meeting the expected standards and where necessary they are able to drive improvements in the processes. The company should also build the capacity to gather and use their performance information appropriately using a data collection, analysis, and reporting system.

Measuring the efficiency and effectiveness of an information security system can be very challenging. This is majorly because it is difficult to control that which cannot be measured. Industry experts suggest that efforts to measure effectiveness are hindered by availability of data. Empirical data is difficult to obtain and they often are uneven in their quality. Some data is also not routinely collected making it difficult to collect the data and use it to identify and quantify indicators of performance.

Conclusion

Companies should review their information security system regularly to ensure they remain awareness of threats and countermeasures, adopt new technology and technology updates when they are available, use specific assets such as employees and firewalls to mitigate risks, and prioritize their risk management process.

In most organizations, information security is seen as a technical discipline. This is because it is closely related to IT that is technical. However, information security is involved with establishing, enforcing, and following information security policies and procedures that establish… READ MORE

How to Reference "Management Information Systems Security" Term Paper in a Bibliography

Related Term Papers:

Management Information Systems MIS Essay

Management information systems (MIS)

Organization culture in developing new management information system in an organization

The organization culture can be referred to as the personality of an organization .It is… read more

Essay 4 pages (1247 words) Sources: 4 Topic: Management / Organizations

---

Management Information Systems What Are Customer Relationship Essay

Management Information Systems

What are customer relationship management systems? How do they benefit business?

The role of customer relationship management systems (CRM) in businesses is to organize the many sources… read more

Essay 4 pages (1298 words) Sources: 0 Topic: Management / Organizations

---

Management Information Systems Security Plan Term Paper

An employee candidate should not be given access to secure areas since they may be able to retain a lot of information during their short time in the company and… read more

Term Paper 9 pages (2417 words) Sources: 0 Topic: Management / Organizations

---

Information Technology -- Managing Information Systems Essay

Information Technology -- Managing Information Systems

IT Consulting Team

Dirt Bikes USA

General and specific MIS Concerns

General Information System Security and Management Principles

Generally, modern business organizations must establish… read more

Essay 2 pages (564 words) Sources: 0 Topic: Management / Organizations

---

Management Info Systems Thesis

Management Information Systems

Managing Information Systems: Data Security and Procurement Updates

The areas of data security and procurement in Management Information Systems (MIS) are both in the middle of major… read more

Thesis 3 pages (992 words) Sources: 3 Style: MLA Topic: Computers / IT / Internet

---

View 100+ more related papers  >>