Unformatted text preview: Lesson 14: Information Security and Control Intrusions into computer-based information systems • 84% accidental o Modifications o Destruction o Unauthorized use/disclosure • Intentional intrusions: 13% internal and 3% external • Conclusion: Computer crimes and accidents are the work of insiders Natural Disasters and Failures: • Earthquake • Flood • Tornado • Hurrican • Fire • Power failure Computer Viruses: Rogue Programs • Viruses= software written with malicious intent to cause annoyance or damage: undesired code which attaches itself to good code in order to replicate itself • Worms= independent program (does not need to attach to another program) that replicates itself and propagates via a network • Trojan horse= undesired code intentionally hidden within a block of desired code o Logic bomb= dormant until an event occurs o Time bomb= dormant until a date/time occurs Other intrusions into a computer-based information systems • Denial-of-service= floods to a web site • Data diddling= changing data before or during input • Spoofing= forging of a return address on an e-mail • Scavenging= unauthorized access to info by searching through the residuals after a job has been run on a computer • Backdoor programs= viruses that open a way into a network for future attacks • Wiretapping= classic phone tap on a transmission line • Sniffing= software programs that reside at switches and hubs to read message traffic Sniffer Programs • A software program that is used to tap into a network and record information that passes through a particular router • A sniffer program can read e-mail and e-business transactions • Analogous to tapping a phone line Phishing • Tricking users into disclosing sensitive information: credit card numbers, bank accounts, SSNs, passwords, etc • Use: spam, e-mail, fraudulent pop-up messages, fake web pages to obtain info • Scam artist the use info to perpetrate credit card fraud or identity theft Dimensions of Computer Crime: • Average computer crime dollar loss >$2 million • Only 15% of computer crimes are reported Only 33% of computer criminals are prosecuted Typical computer criminal: o An employee, bright, reliable o Male, 29 years old o No previous criminal record o 70% work in technical or management areas What makes Computer Crime different from other fraud? • Data and information can be easily copied/erased remotely and quickluy • Programs & data can often be altered without a trace • Concentration of data & information • Users acceptance of computer-based systems responses without question • Technical people can circumvent controls Computer Crime is increasing • We are moving to a system of electronic money • Population is becoming more computer literate • Hardware and software is more powerful and inexpensive • World-wide internet access • 5th generation computers connected via 1st generation communication system; telephone lines • Demand for faster service prohibits human involvement • Computer personnel are “free souls” loyalty to profession, not to employers Methods of Information Systems Security and Control • Organizational structure o Separate analysts & programmers form system operators o Separate input form output, from database, from processing people o Create an organizational structure that “forces” a perpetrator to require an accomplice o Use source data automation; data entry is the largest source of security breeches and errors • System Design and Development o Good design: the best place to insure security and control o Document system usage o Retain source document o Verify transactions; data and visually o Data communications receipt checking o Data processing controls o Specify acceptance testing for new information system o Conduct post-installation review and audit • Facility and use access and control o Use of passwords and pin numbers (lengthen passwords, use one-time passwords, call-back procedures, question/answer sequence) o Token recognition (RSA authenticators); magnetic card readers, smart cards o Locks, Keys, guard o Use biometric devices for access control: Retina scan • • • Fingerprint Handprint Voice recognition Vein print Palm Print Face scan Signature analysis o Private Key (symmetric) System The same key is used to encrypt and decrypt the plaintext The sender and receiver share the same key without reveling it to others (private) Since the data encryption algorithm use for sending the message is well established, the security offered is a function of the length of the private key used o Public (Asymmetric) Key Encryption Use of 2 difference (matched) Keys: • Public key for all authorized users • Private key known only to the owner Administrative and management controls o Good administrative and management practices: the most effective way to reduce computer crime and accidents o Hiring procedures o Employee awarness and training (policy on information systems non-use, non-disclosure of data, mandatory personnel review system, vacation and job rotation policy, channels for addressing grievances o Employment termination practice ...
View Full Document
This document was uploaded on 02/05/2011.
- Summer '09