The Management of Information Systems with Regards to Securing Such Systems - Coursework Example

Contents Contents 2 Introduction 3 Hacking methods 4 Password cracking 4 Configuration flaws 5 IP spoofing 6 Advanced persistent attacks and wire tapping 6 Defending information systems 7 Password management 7 Use of biometrics to control access 7 Organization policy 8 Firewalls and ethical hacking 8 Conclusion 10 Bibliography 11 Introduction The security of data in information is becoming more challenging issue to handle in organizations today. This due to the changing face of computing that has led to advanced tools that can be used to breach such security. Apart from this advancement in technology of breaching security, the internet also poses a considerable security threat and vulnerabilities. Through the internet, hackers can launch an attack remotely from any location to an information system with adverse results in the end (Cannon, 2011, p. 433). In a fast changing computing environment and technology, the interception of data and the hacking tools that are employed pose a significant challenge to computer systems developers. The main reason for this challenge is the inability of developers to anticipate fully all the potential vulnerabilities of a system during its development. Cases like zero-day attacks make it virtually impossible to fully eliminate the potential of the developers coming up with foolproof systems. This paper discusses the management of information systems with regards to securing such systems and the data that they contain. Specifically, the paper looks at the main modalities that hackers use to gain unauthorized access to information systems. From these unlawful access methods, the paper will recommend information management strategies that will assist in reducing the risk of unauthorized access to information systems within organizations. Hacking methods Hackers, often referred to as unauthorized users, exploit vulnerabilities in computer systems to gain access. Vulnerabilities are weak points that can be potential targets and access points in to a system. In most cases, the users or administrators are aware of these potential weaknesses and in other settings; the vulnerable points are not explicit to them. An example of a weak point that most system administrators are aware of is the lurking threats on the internet. Due to the large number of users and interconnected nature, the internet has a large array of potential attackers and points of vulnerability. A software flaw, on the other hand, is an example of a vulnerability point that is unknown to the users or the system administrators. Password cracking The above discussion gives the background theory of unauthorized access to a computer system. It is from these points of vulnerabilities that hackers use to circumvent security measures in the computer systems. The most common hacking techniques result from the improper or poor use of password protection of a system. Key vulnerabilities here include the use of a matching username and password, weak or too short passwords and providing hints of passwords at the login screen. In doing these, a users intention might be to ease their own work of remembering passwords. However, this also provides the hacker with incentives of easy cracking of the same passwords (Street & Street, 2010, p. 242). In order to gain these passwords, a hacker can employ both low technology methods or use brute force method to access the system. In low-technology method, the hacker can decide to search for passwords from employees through means of bribing or trickery. The hacker can also use dumpster diving where the hacker searches through trash and looks at waste documents for hints on the password. In circumstances of a brute attack, the hacker will use guesswork to try and gain access to the system (Chirillo, 2001, p. 450). This involves guessing the password from the hints available or projecting it from the username. The projection of passwords from the details of a specific user is sometimes referred to as social engineering. This form of hacking is closely linked to the threat and concept of insider hacking. In insider hacking, a hacker can decide to take up a temporary job posting in a firm. Through this position, the hacker can observe the critical passwords as they are being used by privileged users and make the record of the same. At the end of the contract, a hacker can decide to use these passwords to access systems of the firm for their personal gains and intentions. Configuration flaws Another avenue that hackers use in gaining access is through configuration errors or system flows. In this method, the hacker will analyze the potential weaknesses posed by the configuration or development flaws and launch an attack. In most cases, such attacks are referred to as zero-day attacks. This is due to their unique nature and the fact that this form of attack has not been seen before. The most common method that the hacker will use to launch a bug that will act on the flaw to circumvent security measures of the system and gain access. The bugs are often launched in the form of Trojans or Trojan horses that pose as genuine executable programs (Pipkin, 2003, p. 146). Once the Trojans are in the system, the hacker can use them to gain access to remote control of the bugs. This method is a little bit complex and will require the hacker to poses a high level of programming skills in order to make the analysis and bugs that can circumvent the security. IP spoofing The internet or computer networks are also potential sources of unauthorized access to information systems. The most common technique that most hackers use is spoofing. In simple terms, spoofing is the impersonation of the address of other computers in order to gain communication as a trusted computer within a network (Bidgoli, 2004, p. 432). Ordinarily, when communicating over the internet, computer systems share information with trusted sources which are identified from their internet protocol (IP) addresses. For sources that are not trusted, before communication and sharing information, the computer checks their IP address for validity. Only trusted computers communicate or share information with each other. In the case where a computer system is not properly identified, no connection is established. A hacker can impersonate the IP address of trusted computers on a network to gain a connection and access to information on systems through this means. Advanced persistent attacks and wire tapping Other forms of hacking include the use of advanced persistent threat tools and wiretapping. In advanced persistent threat hacking, the hacker employs sophisticated malware that operates stealthily over a long period to collect information about a system. These are tools or malware that are covertly implanted into a system and collect information such as users details and passwords (Bathurst, Rogers, & Ghassemlouei, 2012, p. 94). These malwares are administered remotely, and it takes a long period of time, for a hacker to collect data for purposes of launching an attack on a system (SECTECH Conference & Kim, 2012, p. 145). In wiretapping, the use of hardware is the main channel of attack. These hardware have the capability of sniffing packets being transmitted over analog signal cables and convert them to digital data. The hacker, in this case, is in a position to eavesdrop on a communication between two computer systems on a network (Strebe, 2006, p. 35). Defending information systems The main goals of information security are to protect the critical issues of confidentiality, integrity and availability of the information. The implication here is that within the organization, the treatment and use of information varies. Confidential information is to be protected from unlawful dissemination and data required for operation must be available. These aspects of information are crucial in the smooth running of an organization. Password management Due to the fast evolving pace of technology it is impossible to eliminate the threat of hacking in totality but it is possible to limit the threats of unauthorized access. The most basic method to do this is by effectively managing the passwords and access codes to a system. Osmanoglu (2013, p. 409), identifies a technique of one-time passwords as a method that could be challenging to hackers. In these systems, the secret pin of a user is combined by a token pin generated by the system for each user to gain access to the system. The token pin generated by the system changes after a specific period. This pin is generated by an algorithm at each login, and this prevents the capture and reuse of the pin by hackers at a later time. Use of biometrics to control access The study also identifies the use of biometrics as a possible method that can limit unauthorized access through password cracking. In this perspective, it identifies the fact that there are physiological aspects that vary between individuals. An example is the fingerprints of individuals. A system can, therefore, be configured to authenticate users basing on passwords match and physiological aspects of the users (Osmanoglu, 2013, p. 410). Voice recognition and facial recognition are other aspects of physiological identification methods that can be employed in a system. Organization policy Threats to information systems not only originate from outside the organization but also from within the organization. The implication of this dichotomy of insiders and outsiders could make information managers complacent of the fact that insiders cannot destroy or leak confidential information. To protect data and information from an insider attack, the management should use policy and systematic planning and regulation strategies (Rose, 2005, p. 8). The policies to manage such threats include adequate vetting of employees and an examination of their background information before assigning them critical roles. Defining consequences of such breaches can also deter potential in-house hackers from attempting to engage in such actions. Deswarte, (2004, p. 122), identifies this modality of control and implementation of security to information system as a psycho-social approach. In this approach, an organization sets out rule and regulations that govern the use an access to information. The aim of these psycho-social approaches is to indicate to the users of the information systems that the benefits of a malicious use are less than the consequences of the same. As such, the employees or the internal threat to information systems will be kept very low. Firewalls and ethical hacking Some studies suggest a layered approach to the protection of information and data within information systems. For instance, Deswarte (2004. P. 126) states that layering threat locations and the information systems locations can be helpful in filtering threats. For systems that use the internet, the study believes that this form of filtering can reduce threats associated with the Internet. In this case, the system is layered into two; that is the internet layer and the interior network of the information system. A filter which can be in the form of a firewall is used to separate the two networks. The function of the filter is to check and flag potential threat from the unsecure network. For globally distributed information systems, the threat is even more. This is due to the reliance on the internet infrastructure with several potential sources of security breaches. In this case, it is difficult to provide a tight security on the internet protocol due to its homogenous nature. The main challenge that these systems face is the inability of the systems to be layered as in the case of systems connecting to the internet from a gateway. To solve this challenge, the defense-in-depth architecture is the best alternative. Several zones or layers are defined in this architecture with the most critical assets located in the lower zones. Several filters and filtering processes are employed in preventing unauthorized breach or access to these resources. While data is within the internet, light code intrusion detection systems and encryption of data can help deal with security challenges. The role of such mechanisms is to detect the possibility of attacks and provide the layered filters with an alert to flag the threats (Deswarte 2004, p. 127). Advanced persistent threats pose a significantly sophisticated approach to hacking that might be difficult to mitigate. Vallabhaneni (2013, p. 322), suggests that in order to mitigate challenges resulting from advance persistent threats, an agile approach to multiple strategy is required. This will involve the use of both defenses in depth and defense in breadth strategies. The study identifies the fact that the most common method used in advanced persistent attacks is the use of malware that employ logics and deceit. As such, the best countermeasure methods will include physical firewalls implemented in hardware form, software form of firewalls and an intrusion code that run in the backbone of the information system. Conclusion With the current trends in technology, newer threats to information systems are evolving and emerging daily. Organizations that have implemented information systems have to put up with a constant availability of threats to the data from these information systems. The source of threats to data in these organizations could be from within the organizations or remote to the organization. Regardless of the source, the level of damage inflicted is the key motivation in protecting such information from unlawful access. Some of the modalities of unauthorized access discussed in this paper include the cracking of passwords, spoofing of internet protocol addresses and advanced persistent attacks. Each of these hacking techniques can be launched either remotely or from within the organization. In remote launching, the main source of vulnerability that has been singled out is the internet. The internet due to its homogenous nature makes it difficult for online systems to perfectly secure information that is transmitted over it. To mitigate the challenges of hacking and unauthorized access, this literature provides a number of strategies. For each threat identified in this study, a countermeasure has been proposed. To mitigate the problem resulting from poor use of passwords, the preceding discussion suggests that the organization should improve access management. This can be done through modern technologies like one-time password systems, biometric authentication techniques and access logs. This study also suggests a layered architecture in dealing with information systems that use a gateway to connect to the internet. Through this layering process, filtering of rogue connections is made simpler by the use of firewalls. For advanced persistent attacks, a multiple strategy approach is the best way to reduce the threat or possibility of attack. Bibliography CANNON, D. L. (2011). CISA certified information systems auditor study guide. San Francisco, Calif, Sybex BATHURST, R., ROGERS, R., & GHASSEMLOUEI, A. (2012). The Hackers Guide to OS X Exploiting OS X from the Root Up. Burlington, Elsevier Science. SECTECH (CONFERENCE), & KIM, T.-H. (2012). Computer applications for security, control and system engineering International Conferences, SecTech, CA, CES3 2012, held in conjunction with GST 2012, Jeju Island, Korea, November 28-December 2, 2012. Proceedings. Berlin, Springer STREBE, M. (2006). Network Security JumpStartTM Computer and Network Security Basics. Hoboken, John Wiley & Sons BIDGOLI, H. (2004). P - Z. Hoboken, NJ [u.a.], Wiley. OSMANOGLU, E. (2013). Identity and Access Management Business Performance Through Connected Intelligence. Burlington, Elsevier Science. ROSE, D. C. (2005). A guidebook for including access management in transportation planning. Washington, D.C., Transportation Research Board. DESWARTE, Y. (2004). Security and protection in information processing systems: IFIP 18th World Computer Congress, TC11 19th International Information Security Conference, 22 - 27 August 2004, Toulouse, France. Boston, Mass. [u.a.], Kluwer Acad. Publ. VALLABHANENI, S. R. (2013). Wiley CIA exam review focus notes 2013. Part 3, Part 3. New York, Wiley PIPKIN, D. L. (2003). Halting the hacker: a practical guide to computer security. Upper Saddle River, N.J., Prentice Hall PTR. CHIRILLO, J. (2001). Hack attacks revealed: a complete reference with custom security hacking toolkit. New York, Wiley. STREET, J. E., & STREET, J. E. (2010). Dissecting the hack the forb1dd3n network. Amsterdam, Syngress. Read More