CA/U4 Topic 10 Security issues in Information Technology
MIS security refers to measures put in place to protect information system resources from unauthorized access or being compromised. Security vulnerabilities are weaknesses in a computer system, software, or hardware that can be exploited by the attacker to gain unauthorized access or compromise a system.
People as part of the information system components can also be exploited using social engineering techniques. The goal of social engineering is to gain the trust of the users of the system.
Let’s now look at some of the threats that information system face and what can be done to eliminate or minimize the damage if the threat were to materialize.
- Computer viruses
These are malicious programs as described in the above section. The threats posed by viruses can be eliminated or the impact minimized by using Anti-Virus software and following laid down security best practices of an organization.
- Unauthorized access
The standard convention is to use a combination of a username and a password. Hackers have learnt how to circumvent these controls if the user does not follow security best practices. Most organizations have added the use of mobile devices such as phones to provide an extra layer of security.
Let’s take Gmail as an example, if Google is suspicious of the login on an account, they will ask the person about to login to confirm their identity using their android powered mobile devices or send an SMS with a PIN number which should supplement the username and password.
If the company does not have enough resources to implement extra security like Google, they can use other techniques. These techniques can include asking questions to users during signup such as what town they grew up in, the name of their first pet, etc. If the person provides accurate answers to these question, access is granted into the system.
- Data loss
If the data center caught fire or was flooded, the hardware with the data can be damaged, and the data on it will be lost. As a standard security best practice, most organizations keep backups of the data at remote places. The backups are made periodically and are usually put in more than one remote area.
Technology with Weak Security – New technology is being released every day. More times than not, new gadgets have some form of Internet access but no plan for security. This presents a very serious risk – each unsecured connection means vulnerability. The rapid development of technology is a testament to innovators, however security lags severely.
- Social Media Attacks
Cybercriminals are leveraging social media as a medium to distribute a complex geographical attack called “water holing”.
- Mobile Malware
Security experts have seen risk in mobile device security since the early stages of their connectivity to the Internet. The minimal mobile foul play among the long list of recent attacks has users far less concerned than they should be. Considering our culture’s unbreakable reliance on cell phones and how little cybercriminals have targeted them, it creates a catastrophic threat.
- Third-party Entry
Cybercriminals prefer the path of least resistance. Target is the poster child of a major network attack through third-party entry points. The global retailer’s HVAC vendor was the unfortunate contractor whose credentials were stolen and used to steal financial data sets for 70 million customers.
- Neglecting Proper Configuration
Big data tools come with the ability to be customized to fit an organization’s needs. Companies continue to neglect the importance of properly configuring security settings. The New York Times recently fell victim to a data breach as a result of enabling only one of the several critical functionalities needed to fully protect the organization’s information.
- Outdated Security Software
Updating security software is a basic technology management practice and a mandatory step to protecting big data. Software is developed to defend against known threats. That means any new malicious code that hits an outdated version of security software will go undetected.
- Social Engineering
Cybercriminals know intrusion techniques have a shelf life. They have turned to reliable non-technical methods like social engineering, which rely on social interaction and psychological manipulation to gain access to confidential data. This form of intrusion is unpredictable and effective.
- Lack of Encryption
Protecting sensitive business data in transit and at rest is a measure few industries have yet to embrace, despite its effectiveness. The health care industry handles extremely sensitive data and understands the gravity of losing it – which is why HIPAA compliance requires every computer to be encrypted.
- Corporate Data on Personal Devices
Whether an organization distributes corporate phones or not, confidential data is still being accessed on personal devices. Mobile management tools exist to limit functionality but securing the loopholes has not made it to the priority list for many organizations.
12. Inadequate Security Technology
Investing in software that monitors the security of a network has become a growing trend in the enterprise space after 2014’s painful rip of data breaches. The software is designed to send alerts when intrusion attempts occur, however the alerts are only valuable if someone is available to address them. Companies are relying too heavily on technology to fully protect against attack when it is meant to be a managed tool.