Evaluation: Evaluating Security Needs
Before implementing any form of security you need to decide how important security is for your company and identify any security problems your company has that need attention. This section examines these two steps, looks at some of the possible threats and introduces some ways to evaluate security problems.
Information systems and especially DSS can be made very secure if enough effort is expended. However a very secure system is usually too inconvenient for managers to use. According to Jones (1998), when implementing a security plan both System Administrators and managers must weigh the following costs and factors:
A computer containing the plans for Intel's next computer chip or sensitive financial data should be carefully secured. On the other hand it doesn't make sense to spend hundreds of thousands of dollars securing a computer used for email by business students. A system can be made as secure as is necessary but in doing so you might lose all ability to make effective use of the machine. Managers and Systems Administrators must balance the needs for convenience against the need for security.
To implement security on a system you should first identify the possible threats to the system. There are three major types of threats to a computer system: physical threats, unauthorized access, and denial of service. Physical threats include fire, theft of equipment, and vandalism. Unauthorized access is the feared hacker or a former employee breaking into a company’s computers or Web Site. Denial of service means people are unable to use a system because of a security breach.
A company needs a Computer Security Policy (CSP) to ensure the safe, organized and fair use of IS/IT resources. A Computer Security Policy is a document that sets out rules and principles that affect the way an organization approaches security problems. A company should specify security policy for specific DSS.
Not all attacks on computer systems rely on expert knowledge of computer hardware and software. The quickest way of denying service is to steal or destroy the physical hardware. Mechanisms should be in place to prevent access to the physical hardware of a system. Network cables are also a security risk. The simplest way to disable a computer network is to take a shovel and dig up a few of the cables used for a computer network. This problem may occur by design or accident.
Logical security threats are caused by problems with computer software. These problems are caused either by misuse, by hardware incompatibilities, by people, by mistakes in programs, or by program interactions with other programs. MIS professionals need to evaluate the possibilities of technical problems,
To break into a Decision Support System a hacker will generally go through a number of stages. The first stage is information gathering. During this phase a hacker is trying to gather as much information about your site as possible, for example, what are the user's names, their phone numbers, office locations, what machines are there. Second, using the information gathered about a DSS or OLTP a hacker tries to get a login account. It usually doesn't matter whose account. At this stage the hacker is just interested in getting onto the machine.
Third, a hacker tries to get administrator privileges for the system. Hackers exploit bugs in programs or badly configured systems. Finally, a hacker makes changes to gain access and control of the system. Social engineering is one of the most used methods for gaining access and it generally requires very little computer knowledge. The most common form of social engineering is for a hacker to impersonate an employee, usually a computer support employee, and obtain passwords or other security related information over the phone. Hackers also sift through the trash of an organization looking for passwords or other information. Some hackers actually get a job on the site; a janitor is a good bet. A lot of hackers consider people to be the weak link in security.
Passwords are the first line of defense in the security of a computer system. They are also usually the single biggest security hole. The main reason is that users perform actions with passwords that compromise their security including:
These actions make it easy for hackers to obtain passwords and by pass this important first line of defense.
If a person has managed to crack someone's password and break into their account the next step they will want to take is obtain an account with more access. The Systems Administrator is responsible for first setting up the file permissions correctly and then maintaining them.
The advent of networks, especially global networks such as the Internet has drastically increased the likelihood that a network accessible DSS will be attacked. No longer do you have to worry about just people on your site. You also have to worry about all of the people on the Internet.