Chapter 8 - Chapter 8. Securing Informa5on Systems Part 1....

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Chapter 8. Securing Informa5on Systems Part 1. IT Security Challenges Learning Objec5ves •  Explain why informa5on systems are vulnerable to destruc5on, error, and abuse •  Assess the business value of security and control •  Iden5fy the components of an organiza5onal framework for security and control •  Evaluate the most important tools and technologies for safeguarding informa5on resources Produced by Dr. Brian Janz 1 System Vulnerability and Abuse •  Security: – Policies, procedures and technical measures used to prevent unauthorized access, altera5on, theK, or physical damage to informa5on systems •  Controls: – Methods, policies, and organiza5onal procedures that ensure safety of organiza5on’s assets; accuracy and reliability of its accoun5ng records; and opera5onal adherence to management standards Our Systems are Vulnerable In Many Areas, for Many Reasons •  Hardware problems •  SoKware problems •  Disasters –  Breakdowns, configura5on errors, damage from improper use or crime –  Programming errors, installa5on errors, unauthorized changes) –  Power failures, flood, fires, etc. •  Use of networks and computers outside of firm’s control, e.g., with domes5c or offshore outsourcing vendors Produced by Dr. Brian Janz 2 Contemporary Security Challenges and Vulnerabili5es Figure 8-1 Internet Vulnerabili5es •  Network open to anyone •  Size of Internet means abuses can have wide impact •  Use of fixed Internet addresses with permanent connec5ons to Internet eases iden5fica5on by hackers •  E‐mail aZachments •  E‐mail used for transmi[ng trade secrets •  IM messages lack security, can be easily intercepted Produced by Dr. Brian Janz 3 Wireless Security Challenges •  Radio frequency bands easy to scan •  SSIDs (service set iden5fiers) –  Iden5fy access points –  Broadcast mul5ple 5mes •  War driving –  Eavesdroppers drive by buildings and try to intercept network traffic –  When hacker gains access to SSID, has access to network’s resources –  Security standard for 802.11 –  Basic specifica5on uses shared password for both users and access point –  Users oKen fail to use security features •  WEP (Wired Equivalent Privacy) •  Viruses: Rogue soKware program that aZaches itself to other soKware programs or data files in order to be executed •  Worms: Independent computer programs that copy themselves from one computer to other computers over a network •  Trojan horses: SoKware program that appears to be benign but then does something other than expected •  Spyware: Small programs install themselves surrep55ously on computers to monitor user Web surfing ac5vity and serve up unwanted (and oKen obnoxious) adver5sing •  Key loggers: Record every keystroke on computer to steal serial numbers, and passwords to launch Internet aZacks Malicious SoKware (Malware) Produced by Dr. Brian Janz 4 Hackers and Computer Crime •  Hackers vs. crackers •  Ac5vi5es include: – System intrusion – TheK of goods and informa5on – System damage – System slow‐down – Cyber‐vandalism •  Inten5onal disrup5on, defacement and destruc5on of websites or corporate informa5on systems Computer Crime •  Defined as “any viola5ons of criminal law that involve a knowledge of computer technology for their perpetra5on, inves5ga5on, or prosecu5on” •  Computer may be the target of crime: –  Breaching confiden5ality of protected computerized data –  Accessing a computer system without authority •  Computer may be the instrument of crime: –  TheK of trade secrets –  Using e‐mail for threats or harassment Produced by Dr. Brian Janz 5 Computer Crime (cont’d) •  Spoofing – Misrepresen5ng oneself by using fake e‐mail addresses or masquerading as someone else, e.g., princes from Africa, etc. – Redirec5ng a web link to an address different from intended one, with the site masquerading as intended des5na5on •  Sniffer: Eavesdropping program that monitors informa5on traveling over network •  Denial‐of‐service aZacks (DoS): Flooding server with thousands of false requests to crash the network •  Distributed denial‐of‐service aZacks (DDoS): Use of numerous computers to launch a DoS Computer Crime (cont’d) •  Iden5ty theK: TheK of personal Informa5on (social security id, driver’s license or credit card numbers) to impersonate someone else •  Phishing: Se[ng up fake websites or sending e‐ mail messages that look like legi5mate businesses to ask users for confiden5al personal data. •  Evil twins: Wireless networks that pretend to offer trustworthy Wi‐Fi connec5ons to the Internet •  Pharming: Redirects users to a bogus web page, even when individual types correct web page address into his or her browser Produced by Dr. Brian Janz 6 Computer Crime (cont’d) •  Click fraud – Individual or computer program clicks online ad without any inten5on of learning more or making a purchase •  Global threats: Cyber‐terrorism and cyber‐ warfare – Concern that Internet vulnerabili5es and other networks make digital networks easy targets for digital aZacks by terrorists, foreign intelligence services, or other groups Internal Threats: Employees •  Security threats oKen originate inside an organiza5on – Inside knowledge – Sloppy security procedures •  User lack of knowledge, apprecia5on for security measures, or importance of good passwords – Social engineering: •  Tricking employees into revealing their passwords by pretending to be legi5mate members of the company in need of informa5on Produced by Dr. Brian Janz 7 SoKware Vulnerability •  Commercial soKware contains flaws that create security vulnerabili5es –  Hidden bugs (program code defects) •  Zero defects cannot be achieved because complete tes5ng is not possible with large programs •  Patches to the rescue? –  Flaws can open networks to intruders, bring systems down –  Vendors release small pieces of soKware to repair flaws –  However, amount of soKware in use can mean exploits created faster than patches be released and implemented –  Some5mes patches introduce other defects Chapter 8. Securing Informa5on Systems Part 2. The Business Value of IT Security and Control Produced by Dr. Brian Janz 8 Business Value of Security and Control •  Lack of security and/or control over informa5on systems can lead to – Loss of revenue •  Failed computer systems can lead to significant or total loss of business func5on – Lowered market value: •  Informa5on assets can have tremendous value •  A security breach may cut into firm’s market value almost immediately – Legal liability – Lowered employee produc5vity – Higher opera5onal costs Legal and Regulatory Requirements for Electronic Records Management •  Firms face new legal obliga5ons for the reten5on and storage of electronic records as well as for privacy protec5on •  HIPAA: Medical security, privacy rules and procedures in healthcare •  Gramm‐Leach‐Bliley Act: Requires financial ins5tu5ons to ensure the security and confiden5ality of customer data •  Sarbanes‐Oxley Act: Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial informa5on that is used internally and released externally Produced by Dr. Brian Janz 9 Establishing a Framework for Security and Control •  General informa5on systems controls govern design, security, and use of computer programs and data throughout the IT infrastructure – Combina5on of hardware, soKware, and manual procedures to create overall control environment – Types of general controls: •  SoKware & hardware controls •  Computer opera5ons controls •  Data security controls •  Implementa5on controls •  Administra5ve controls Establishing a Framework for Security and Control •  Applica5on controls: specific controls unique to each computerized applica5on, such as payroll or order processing – Include both automated and manual procedures – Ensure that only authorized data are completely and accurately processed by that applica5on – Types of applica5on controls: •  Input controls •  Processing controls •  Output controls Produced by Dr. Brian Janz 10 Risk Assessment •  Determines level of risk to firm if specific ac5vity or process is not properly controlled –  Types of threat –  Probability of occurrence during year –  Poten5al losses, value of threat –  Expected annual loss EXPOSURE Power failure Embezzlement User error PROBABILITY 30% 5% 98% LOSS RANGE (AVERAGE) $5K - $200K ($102,500) $1K - $50K ($25,500) $200 - $40K ($20,100) EXPECTED ANNUAL LOSS $30,750 $1,275 $19,698 Establishing a Framework for Security and Control •  Security policy –  Ranks informa5on risks, iden5fies acceptable security goals, and iden5fies mechanisms for achieving these goals –  Drives other policies •  Acceptable use policy (AUP): Defines acceptable uses of firm’s informa5on resources and compu5ng equipment •  Authoriza5on policies: Determine differing levels of user access to informa5on assets •  Authoriza5on management systems –  Allow each user access only to those por5ons of system that person is permiZed to enter, based on informa5on established by set of access rules, profile Produced by Dr. Brian Janz 11 Security Profiles for a Personnel System Figure 8-3 Disaster Recovery and Business Con5nuity •  Disaster recovery planning: Devises plans for restora5on of disrupted services •  Business con5nuity planning: Focuses on restoring business opera5ons aKer disaster •  Both types of plans needed to iden5fy firm’s most cri5cal systems and business processes –  Business impact analysis to determine impact of an outage –  Management must determine •  Maximum 5me systems can be down •  Which systems must be restored first Produced by Dr. Brian Janz 12 The MIS Audit •  Examines firm’s overall security environment as well as controls governing individual informa5on systems •  Reviews technologies, procedures, documenta5on, training, and personnel •  May even simulate disaster to test response of technology, IS staff, other employees •  Lists and ranks all control weaknesses and es5mates probability of their occurrence •  Assesses financial and organiza5onal impact of each threat Sample Auditor’s List of Control Weaknesses Figure 8-4 Produced by Dr. Brian Janz 13 Chapter 8. Securing Informa5on Systems Part 3. Technology and Tools for Security Technologies and Tools for Security •  Access control: Policies and procedures to prevent improper access to systems by unauthorized insiders and outsiders – Authoriza5on – Authen5ca5on •  Password systems •  Tokens •  Smart cards •  Biometric authen5ca5on Produced by Dr. Brian Janz 14 Technologies and Tools for Security •  Firewall: Hardware and/or soKware to prevent unauthorized access to private networks –  Screening technologies •  Packet filtering: examines specific packets for authen5city •  Stateful inspec5on: ascertains whether packets are part of a dialogue •  Network address transla5on (NAT): conceals IP addresses •  Applica5on proxy filtering: a soKware “middleman” between sender/ receiver •  Intrusion detec5on systems: Monitor vulnerable points on networks to detect and deter intruders –  Examines events as they are happening to discover aZacks in progress –  Scans the network to find paZerns indica5ve of aZacks Technologies and Tools for Security •  An5virus and an5‐spyware soKware: –  Checks computers for presence of malware and can oKen eliminate it as well –  Require con5nual upda5ng •  Unified threat management (UTM) –  Comprehensive security management products –  Tools include •  Firewalls •  Intrusion detec5on •  VPNs •  Web content filtering •  An5spam soKware Produced by Dr. Brian Janz 15 Securing Wireless Networks •  WEP security can be improved: – Ac5va5ng it – Assigning unique name to network’s SSID – Using it with VPN technology •  Wi‐Fi Alliance finalized WAP2 specifica5on, replacing WEP with stronger standards – Con5nually changing keys – Encrypted authen5ca5on system with central server Encryp5on •  Transforming text or data into cipher text that cannot be read by unintended recipients •  Two methods for encryp5ng network traffic – Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) – Secure Hypertext Transfer Protocol (S‐HTTP) •  Two methods of encryp5on – Symmetric key encryp5on – Public key encryp5on Produced by Dr. Brian Janz 16 Public Key Encryp5on Figure 7-6 Encrypted Digital Cer5ficates •  Data file used to establish the iden5ty of users and electronic assets for protec5on of online transac5ons •  Uses a trusted third party, cer5fica5on authority (CA), to validate a user’s iden5ty •  CA verifies user’s iden5ty, stores informa5on in a CA server, which generates encrypted digital cer5ficate containing owner ID informa5on, and a copy of owner’s public key Produced by Dr. Brian Janz 17 Digital Cer5ficates Figure 8-7 Ensuring System Availability •  Online transac5on processing requires 100% availability, no down5me •  Fault‐tolerant computer systems – For con5nuous availability – Contain redundant hardware, soKware, and power supply components to provide con5nuous, uninterrupted service •  High‐availability compu5ng – Helps recover quickly from crash – Minimizes, does not eliminate down5me Produced by Dr. Brian Janz 18 Ensuring SoKware Quality •  SoKware Metrics: Objec5ve assessments of system in form of quan5fied measurements – Number of transac5ons – Online response 5me – Payroll checks printed per hour – Known bugs per hundred lines of code •  Tes5ng: Early and regular tes5ng – Walkthrough: Review of specifica5on or design document by small group of qualified people – Debugging: Process by which errors are eliminated Produced by Dr. Brian Janz 19 ...
View Full Document

This note was uploaded on 02/24/2011 for the course MIS 7650 taught by Professor Janz during the Spring '11 term at U. Memphis.

Ask a homework question - tutors are online