1. Ransomware is a type of malicious software

1.          This will be able to guide how to protect
customer data and handle any potential loss of sensitive information. (YTL, 2017) Being the
victim of a ransomware attack is stressful and worrying for any business.
Ransomware is a type of malicious software from cryplovirology that threatens
to publish the victim’s data or perpetually block access to it unless a ransom
is paid. The attacker generates a key pair and places the malware.

Online
commerce is growing at 6 percent annually, three times the growth of
traditional offline retail. Businesses are using information technology to
sense and respond to rapidly changing customer demand, reduce inventories to
the most possible levels to get to market faster. Global ecommerce and Internet
advertising continue to expand. Google’s online. These changes in information
technology and systems consumer behavior, and commerce have spurred the annual
growth of digital information to over 5 Exabyte’s of a mobile digital business
platform based on smartphones and tablet computers, big data business
analytics.

 

E-commerce
is changing how firms design, produce, and deliver their products and services.
Growth in social commerce is spurred by powerful growth of the mobile platform.
What makes information systems so essential today information systems are essential
for conducting day-to-day business in most advanced countries as will as
achieving strategic business objectives, specifically, business firms invest
heavily in information systems to achieve six strategic business objectives;
operational excellence new products, services, and business models; customer
and supplies intimacy; improved decision making; competitive advantage; and
survival.

Information
technology (IT) consists of all the hardware and software that a firm needs to
use in order to achieve its business objectives. “Information systems” are more
complex and can be best understood by looking at them from both a technology
and a business perspective. By information we mean data that have been shaped
into a form that is meaningful and useful to human beings.

There
activities in an information system produce the information that organization
need to make decision, control operations, analyze problems and create new
products or services. The field of management information systems (MIS) tries
to achieve this broader information systems literacy. Let’s examine each of the
dimensions of information systems _ organizations, management, and information
technology. Information has a structure that is composed of different levels
and specialties.

Senior
management makes long – range strategic decisions about products and services
as well as ensures financial performance of the firm. Middle management, and
operational management are responsible for monitoring the daily activities of
the business. Computer hardware is the physical equipment used for input,
processing, and output activities in an information system.

Data
management technology consists of the software governing the organization of
data on physical storage media. The world’s largest and most widely used
network is the Internet. Operations research focuses on mathematical techniques
for optimizing selected parameters of organizations, such as transportation,
inventory control, and transaction costs. As important part of the information
systems field is concerned with behavioral issues that arise in the development
and long _term maintenance of information systems.

The
allows many businesses to buy, sell, advertise, and solicit customer feedback
online. The Internet has stimulated globalization by dramatically reducing the
costs of producing, buying, and selling goods on a global scale. New
information system trends include the emerging mobile digital platform, big
data and cloud computing.

Once
we are fully aware of the nature of the attack and have decided how we will respond
contacting all affected stakeholders is a must. Individuals or organization are
not encouraged to pay the ransom, as this does not guarantee files will be released.

European
companies infected with WannaCry are at risk of lawsuits and regulatory
enforcement action if they haven’t adopted appropriate technical. While the
infected computer can still be used, the risk of losing valuable data can
impact productivity. (Alvarez, 2018)

2.         The security threats to any information
system of an organization. A successful organization should have the following
multiple layers of security in place to protect its operation:

·     
Physical
security

·     
Personnel
security

·     
Operations
security

·     
Communications
security

·     
Network
security

·     
Information
security

It
is achieved via the application of policy, education, training and awareness,
and technology. (Cengage)

If you are really
interested to find out these threats, I have them here and do get yourself a
cup of coffee before you start. The types of computer security threats Trojan,
Virus, Adware, Backdoor, wabbits. 
Exploit, How to remove virus are Botnet, Diaker, Dropper, foke AV, Phirhing,
Cookies, bluesnarfing, Blue Jacking DDoS. Here’s a quick explanation of some of
the common security threats you may come across: As a rule, an organization can
greatly reduce its vulnerability to security threats by implementing a comprehensive
privacy and data security plan. There are technical data security to
information systems and non-technical cyber security threats to information
systems.

Non- existent
Security Architecture. It is important to note that having a firewall alone is
not sufficient to ensure the safety of a network.

Un _ patched
Client Side Software and Applications. Keeping up with soft ware updates and
upgrades, in addition to applying manufacturer-recommended patches, minimizes,
many of the vulnerabilities.

Mitigation: To
reduce the ability of malicious actors to compromise or destroy an
organization’s security system.

” Phishing ” and Targeted
 Attacks (“Spear Phishing”). Once
infected emails are opened, the user’s matching can be compromised.

Internet Web
sites; malicious code can be transferred to a computer through browsing
webpages that have not undergone security updates.

Poor Can
figuration Management; Any computer connected to the network, whether at work
or at home that does not follow configuration management policy.

Mitigation
Establish a configuration management policy for connecting any hardware to the
network.

Mobile devices
Use of mobile devices, such as laptops or handheld devices, including
smartphone users, is exploding.

Botnets. Botnets
are networks of compromised computers used by hackers for malicious purposes,
usually criminal in nature.

 Zero-day Attacks. A zero-day attack is a
threat aimed at exploiting a software application vendor becomes aware of it.

·     
Non-technical
cyber security threats to information systems.

·     
Inside. An insider is defined as someone legitimate access to the
network.

·     
Poor Passwords. Implementing a policy on strong user
passwords is critical to data protection.

·     
Physical Security. Physical security is essential to
preventing unauthorized access to sensitive data as well as protecting an
organization’s personnel and resources.

·     
Mitigation. Establish and enforce a physical
security system.

·     
Insufficient Backup and Recovery. Lack of a robust data backup and
recovery solution puts an organization’s data at risk.

·     
Improper Destruction Paper documents. Such as reports and catalogs may contain
sensitive data.

·     
Social Media. Using organization’s devices and network
resources to access social media websites pores a high data security threats.

·     
Social Engineering. Breaking into a network does not require
technical skills. (Data Security: Top Threats to
Data Protection, 2011)

Vulnerabilities
consist of weaknesses in a system that can be exploited by the attackers that
may lead to dangerous impact. Threats classification helps identify and organize
security threats into classes to access and evaluate their developed strategies
to prevent, or mitigate the impacts of threats on the system. Security threat frequency;
It shows the frequency of security threat occurrence. Area of security threat
activity; it represents the domain that is being affected by the threat like
physical security. Security threat source; the origin of threat either Internal
of external. Destruction of information, corruption of information, theft or
loss of information, disclosure of information, denial of use, elevation of
privilege and illegal usage. Wildfire, flooding, earthquakes and tidal waves
are caused by accidental external natural phenomena and allow. (Jouini, 2014)

While we have a
host of technical solutions to the problems enumerated above, the biggest
vector for the importation of all things bad remains the uninformed users
within our enterprises. (Sanchez, 2010)

 

3.         What is ransomware. Simply put, it’s
malicious software that locks down date unless a ransom is paid, hence the
name. It’s relatively new as far as malicious software goes; the first thing
you should always do is contact a security professional.  Ransomware attacks can be complex and acting
without the advice of a professional could potentially cause more harm than
good.

Imagine
it’s an otherwise typical day. You wake up head into the office, pour yourself
a cup of office, and settle in to get some critical work dome before its due.
Maybe you opened on attachment that you weren’t expecting maybe you were lured
to a website that downloaded the virus. Other common ways crooks trick you into
downloading ransomware include. Imagine for a moment that you receive a phone
call from a client to hear that hundreds of their computers have been infected
with ransomware, knocking critical systems offline and putting their
organization’s entire operations at risk to your business’ revenues or reputation
as well as ensuring that you will be able to address any legal requirements as
a result of your ransomware attack. A ransomware attack creates two hard
choices for a business; either pay the ransom, or spend multiple days
recovering locked files. As an individual user, you should ensure that you’re
using a fully- updated version of windows. If you’re on an older release due to
a company policy. (Arora, 2017)

When
it comes to ransomware attack, what matters most is how quickly you’re able to
get back to help you identify where the ransomware attack came from and contain
it to limit the damage. You may have heard of attacks on hospitals that
rendered their entire medical suite useless, all for the hackers to get a
couple bucks and probably notoriety within a hacking community. Consider that
hospitals are probably more guarded than you. The worldwide ransomware attack
that affected banks, hospitals and other companies heightens corporate
regulatory and litigation risks, privacy attorneys told Bloomberg BNA. You have
a legal responsibility to inform them even if their personal data has not been stolen.
This type of attack is becoming increasingly common and is constantly evolving
into new, more advanced strains. Many companies are unaware of threat it poses;
however; it is important to protect your organization and your data, against
ransomware. (Cengage)

 

Ransomware
historically Microsoft office, Adobe PDF and image files have been targeted, but
MA fee predicts that additional types of files will become target as ransomware
continues to evolve. According to e scan antivirus reports 2017 India was one
of the worst affected by cyber attack. As well as having a response pain your
business should also have a comprehensive recovery plan in place. It is
generally spread using some form of social engineering; victims are tricked
into downloading an mail attachment or clicking a link. (The Business
Guide to Ransomware, 2018) Determining
the primary attack is critical to understanding what the attacker’s primary
campaign is targeting and ensures that you aren’t missing the actual attack by
focusing solely on the ransomware. Individuals with a Hotmail account can
access their email and send email from any location as long as they are
connected to the Internet.

Infrastructure
operations which can include provisioning the customer’s desktop environment,
as well as operating data centers to host the applications. Organizations of
all types are looking to build ‘digital strategies’ or ‘digital business strategies’.
Organization such as banks, online travel agencies, tax authorities, and
electronic bookshops can be seen as IT companies given the central role of
their information systems. Ransomware can have serious implication; take
precautions sooner rather than later. Here are tips to reduce the chances of
being affected and to happen: The impact that web site administrators are
facing is twofold. Insurance attacks are generally available in both cyber and
kidnap and ransom policies.

 

4.          Prepare a prevention and risk
mitigation plan to organizations so that the organizations are well prepared
for future attacks. General controls govern the design, security, and use of
computer programs and the security of data files in general throughout the
organization’s information technology infrastructure. Application controls are
specific controls unique to each computerized application, such as payroll or
order processing. Application controls can be classified as:

(1)  Input controls

(2)  Processing controls

(3)  Output controls (Laudon K. C.,
2018)

A risk assessment
determines the level of risk to the firm if a specific activity or process is
not properly controlled. (Laudon K. C., 2018) Business  continuity planning focuses on how the company
can restore business operations after a disaster strikes. As information
systems audit examines the firm’s overall security environment as well as
controls governing individual information systems. There are various ways to do
this. Which helps organizations identify vulnerabilities and threats to their
critical information and plan protection strategies. Any service is at least as
critical as the most important service depending on it. (Sanchez,
2010)

         Absorb the attack. This implies that
additional capacity has already been planned

for, installed,
and tested before an attack begins.

        Degrade services. The critical services
have been identified, it nay be possible to design the network, systems.

        Shut down services. It is plausible
that an organization could decide to simply shut down all services until an
attack has subsided.

        These need to be in place ahead of
time. It is also important to have communication plans in place. Survivability
is the ability of a network computing system to provide essential services in
the presence attacks and failures, and to recover full services in a timely
manner. The technical issues by discussing general principles that applies to
the survivability subjective:

–      
Separate,
or compartmentalize, critical services wherever practical.

–      
Overprovision
as much as possible.

–      
Minimize
your “target cross- section.”

Attackers know
this, and as a result many DoS agents use small packets in their attacks.

There is a
distinct risk that adding capacity to one part of the network may just expose a
bottleneck elsewhere, or even has a cascade effect.

         The primary objectives are to (1)
present a small initial target and (2) limit the          damage that an attack on that on that
target can have. Include these;

–      
Disable
unneeded services. As an example of the “principle of least privilege, all
services that are not expressly required for business operations should be
disabled.

–      
Hide
the internals of your network. In many situations, there little need for
external users to be able to gather information about internal network
configurations.

–      
Filter
all non-essential traffic as close to the source as possible.

Monitoring
ongoing operations to be able to detect anomalous behavior. Preparing the
organization to react among these are;

–      
Cultivate
an analysis capability

–      
Create
an incident response plan

–      
Develop
an ongoing relationship with your upstream provider

Create an
incident response plan an incident response plan is vital to the successful
handling of any incident. Every organization needs not only a response plan,
but also a team that will implement it. So, a key factor for success will be
the support of senior management. Organizations should not feel  that every position in the response team
needs to be filled by in-house staff. The composition of the team also needs to
be regularly reviewed. Teams should adopt the model of: plan, do, check. (Preparing for future attacks, 2018)

 

Plan 
     – Establish objectives, policies and
procedures to meet the requirements of the  

                  Business.

Do      
   – Implement these policies and procedures.

Check    – Verify if these are effective at
meeting objectives in practice.

Act         – Take action to modify plans according to experience gained
to refine and                 

                  Improve.

Internet service
provider (s) may be in a far more advantageous position to mitigate the attack
than you are. Here are some items you might want to ask for:

            – Visibility of their backbone performance data.

            – Relief from per-bit rate pricing in the event of attack.

            – Rate limiting.

            – Protocol or port blocking.

            – Response-time commitments for support.

Attack tools are
controlled in a variety of ways; some earlier tools established listening
ports. Continuously monitor inbound and outbound network traffic to identify
unusual activity or trends that could indicate attacks and the compromise of
data. Using media rich games ad simulations, we design, build, and host highly
interactive and engaging courses that hold a user’s attention regardless of the
subject matter.

5.             Those ethical issues that may
arise from using connected devices in an organization; ethical, social and
political issues are closely linked. Imagine society as a calm pond on a
summer’s day, a delicate ecosystem in partial equilibrium with individuals.
Toss a rock into the center of the pond. Individual actors are confronted with
new situations not often covered by the old rules. It may years to develop
etiquette, expectations and social responsibility, politically correct
attitudes rules. These lapses in ethical and business judgment occurred across
a broad spectrum of industries. Ethical issues in information systems have been
given new urgency by the rise of the Internet and e- commerce.

A
Model for Thinking About Ethical, Social, and Political Issues are closely
linked. Five moral dimensions of the information age;

                 1. Work with little
supervision, yet seek guidance as needed. (TRUSTWORTHINESS)

                 2. Use good manners, be courteous
and polite. (TRUSTWORTHINESS)

                 3. Performing duties, fulfilling
responsibilities, keeping up his words, and not  

                    Hurting others are the
characteristics of a gentleman.

                 4. Refuse to lay cheat,
deceive, manipulate, exploit or take advantage of others. (TRUSTWORTHINESS)

                 5.Accountability and control:
Who can and will be held accountable and liable for the harm done to individual
and collective information and property rights. (five moral
values)

Key technology
trends that raise ethical issues, the doubling of computing power every 18
months has made it possible for most organizations to use information systems
for their core production processes. 

                   Basic concept:
responsibility, accountability and liability responsibility is a key element of
ethical action. Accountability is a feature of systems and social institutions;
it means that mechanisms are in place to determine who took action and who is
responsible. Liability extends the concept of responsibility further to the
area of laws it is a feature of political systems. (Laudon K. C., 2018)

                

              – 
The golden Rule is doing unto others, as you would have them do unto
you.

               

              – 
Immanuel Kant’s categorical imperative if an action is not right for
everyone              

                  to take.

 

– The slippery
slope rule is an action cannot be taken repeatedly, it is not right

   to take at all.

– Utilitarian
principle the action takes achieves the higher or greater value.

– Risk aversion
principle takes the action that produces the least harm or the least               

  Potential cost.

                                                  -The ethical no-free-lunch rule is
assume that virtually all tangible and              

                                    Intangible
objects are owned by someone else unless a specific declaration otherwise.

Internet
challenges to privacy posed new challenges for the protection of individual.

Cookies are small
text files deposited on a computer hard drive when a user visits websites the
visitor’s web browser software. Web beacons, also called web bugs (or simply
tracking files) are tiny software programs that keep a record of users’ online
click streams. Other spyware can secretly install itself on an Internet user’s
computer by piggybacking on larger application. Challenges to intellectual
property rights is digital media differ from books, periodicals, and other
media in terms of ease of replication; ease of transmission; ease of
alteration; compactness- making theft easy; and difficulties in establishing
uniqueness. (Laudon K. C., 2018)