This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Chapter 8. Securing Informa5on Systems Part 1. IT Security Challenges Learning Objec5ves • Explain why informa5on systems are vulnerable to destruc5on, error, and abuse • Assess the business value of security and control • Iden5fy the components of an organiza5onal framework for security and control • Evaluate the most important tools and technologies for safeguarding informa5on resources Produced by Dr. Brian Janz 1 System Vulnerability and Abuse • Security: – Policies, procedures and technical measures used to prevent unauthorized access, altera5on, theK, or physical damage to informa5on systems • Controls: – Methods, policies, and organiza5onal procedures that ensure safety of organiza5on’s assets; accuracy and reliability of its accoun5ng records; and opera5onal adherence to management standards Our Systems are Vulnerable In Many Areas, for Many Reasons • Hardware problems • SoKware problems • Disasters – Breakdowns, conﬁgura5on errors, damage from improper use or crime – Programming errors, installa5on errors, unauthorized changes) – Power failures, ﬂood, ﬁres, etc. • Use of networks and computers outside of ﬁrm’s control, e.g., with domes5c or oﬀshore outsourcing vendors Produced by Dr. Brian Janz 2 Contemporary Security Challenges and Vulnerabili5es Figure 8-1 Internet Vulnerabili5es • Network open to anyone • Size of Internet means abuses can have wide impact • Use of ﬁxed Internet addresses with permanent connec5ons to Internet eases iden5ﬁca5on by hackers • E‐mail aZachments • E‐mail used for transmi[ng trade secrets • IM messages lack security, can be easily intercepted Produced by Dr. Brian Janz 3 Wireless Security Challenges • Radio frequency bands easy to scan • SSIDs (service set iden5ﬁers) – Iden5fy access points – Broadcast mul5ple 5mes • War driving – Eavesdroppers drive by buildings and try to intercept network traﬃc – When hacker gains access to SSID, has access to network’s resources – Security standard for 802.11 – Basic speciﬁca5on uses shared password for both users and access point – Users oKen fail to use security features • WEP (Wired Equivalent Privacy) • Viruses: Rogue soKware program that aZaches itself to other soKware programs or data ﬁles in order to be executed • Worms: Independent computer programs that copy themselves from one computer to other computers over a network • Trojan horses: SoKware program that appears to be benign but then does something other than expected • Spyware: Small programs install themselves surrep55ously on computers to monitor user Web surﬁng ac5vity and serve up unwanted (and oKen obnoxious) adver5sing • Key loggers: Record every keystroke on computer to steal serial numbers, and passwords to launch Internet aZacks Malicious SoKware (Malware) Produced by Dr. Brian Janz 4 Hackers and Computer Crime • Hackers vs. crackers • Ac5vi5es include: – System intrusion – TheK of goods and informa5on – System damage – System slow‐down – Cyber‐vandalism • Inten5onal disrup5on, defacement and destruc5on of websites or corporate informa5on systems Computer Crime • Deﬁned as “any viola5ons of criminal law that involve a knowledge of computer technology for their perpetra5on, inves5ga5on, or prosecu5on” • Computer may be the target of crime: – Breaching conﬁden5ality of protected computerized data – Accessing a computer system without authority • Computer may be the instrument of crime: – TheK of trade secrets – Using e‐mail for threats or harassment Produced by Dr. Brian Janz 5 Computer Crime (cont’d) • Spooﬁng – Misrepresen5ng oneself by using fake e‐mail addresses or masquerading as someone else, e.g., princes from Africa, etc. – Redirec5ng a web link to an address diﬀerent from intended one, with the site masquerading as intended des5na5on • Sniﬀer: Eavesdropping program that monitors informa5on traveling over network • Denial‐of‐service aZacks (DoS): Flooding server with thousands of false requests to crash the network • Distributed denial‐of‐service aZacks (DDoS): Use of numerous computers to launch a DoS Computer Crime (cont’d) • Iden5ty theK: TheK of personal Informa5on (social security id, driver’s license or credit card numbers) to impersonate someone else • Phishing: Se[ng up fake websites or sending e‐ mail messages that look like legi5mate businesses to ask users for conﬁden5al personal data. • Evil twins: Wireless networks that pretend to oﬀer trustworthy Wi‐Fi connec5ons to the Internet • Pharming: Redirects users to a bogus web page, even when individual types correct web page address into his or her browser Produced by Dr. Brian Janz 6 Computer Crime (cont’d) • Click fraud – Individual or computer program clicks online ad without any inten5on of learning more or making a purchase • Global threats: Cyber‐terrorism and cyber‐ warfare – Concern that Internet vulnerabili5es and other networks make digital networks easy targets for digital aZacks by terrorists, foreign intelligence services, or other groups Internal Threats: Employees • Security threats oKen originate inside an organiza5on – Inside knowledge – Sloppy security procedures • User lack of knowledge, apprecia5on for security measures, or importance of good passwords – Social engineering: • Tricking employees into revealing their passwords by pretending to be legi5mate members of the company in need of informa5on Produced by Dr. Brian Janz 7 SoKware Vulnerability • Commercial soKware contains ﬂaws that create security vulnerabili5es – Hidden bugs (program code defects) • Zero defects cannot be achieved because complete tes5ng is not possible with large programs • Patches to the rescue? – Flaws can open networks to intruders, bring systems down – Vendors release small pieces of soKware to repair ﬂaws – However, amount of soKware in use can mean exploits created faster than patches be released and implemented – Some5mes patches introduce other defects Chapter 8. Securing Informa5on Systems Part 2. The Business Value of IT Security and Control Produced by Dr. Brian Janz 8 Business Value of Security and Control • Lack of security and/or control over informa5on systems can lead to – Loss of revenue • Failed computer systems can lead to signiﬁcant or total loss of business func5on – Lowered market value: • Informa5on assets can have tremendous value • A security breach may cut into ﬁrm’s market value almost immediately – Legal liability – Lowered employee produc5vity – Higher opera5onal costs Legal and Regulatory Requirements for Electronic Records Management • Firms face new legal obliga5ons for the reten5on and storage of electronic records as well as for privacy protec5on • HIPAA: Medical security, privacy rules and procedures in healthcare • Gramm‐Leach‐Bliley Act: Requires ﬁnancial ins5tu5ons to ensure the security and conﬁden5ality of customer data • Sarbanes‐Oxley Act: Imposes responsibility on companies and their management to safeguard the accuracy and integrity of ﬁnancial informa5on that is used internally and released externally Produced by Dr. Brian Janz 9 Establishing a Framework for Security and Control • General informa5on systems controls govern design, security, and use of computer programs and data throughout the IT infrastructure – Combina5on of hardware, soKware, and manual procedures to create overall control environment – Types of general controls: • SoKware & hardware controls • Computer opera5ons controls • Data security controls • Implementa5on controls • Administra5ve controls Establishing a Framework for Security and Control • Applica5on controls: speciﬁc controls unique to each computerized applica5on, such as payroll or order processing – Include both automated and manual procedures – Ensure that only authorized data are completely and accurately processed by that applica5on – Types of applica5on controls: • Input controls • Processing controls • Output controls Produced by Dr. Brian Janz 10 Risk Assessment • Determines level of risk to ﬁrm if speciﬁc ac5vity or process is not properly controlled – Types of threat – Probability of occurrence during year – Poten5al losses, value of threat – Expected annual loss EXPOSURE Power failure Embezzlement User error PROBABILITY 30% 5% 98% LOSS RANGE (AVERAGE) $5K - $200K ($102,500) $1K - $50K ($25,500) $200 - $40K ($20,100) EXPECTED ANNUAL LOSS $30,750 $1,275 $19,698 Establishing a Framework for Security and Control • Security policy – Ranks informa5on risks, iden5ﬁes acceptable security goals, and iden5ﬁes mechanisms for achieving these goals – Drives other policies • Acceptable use policy (AUP): Deﬁnes acceptable uses of ﬁrm’s informa5on resources and compu5ng equipment • Authoriza5on policies: Determine diﬀering levels of user access to informa5on assets • Authoriza5on management systems – Allow each user access only to those por5ons of system that person is permiZed to enter, based on informa5on established by set of access rules, proﬁle Produced by Dr. Brian Janz 11 Security Proﬁles for a Personnel System Figure 8-3 Disaster Recovery and Business Con5nuity • Disaster recovery planning: Devises plans for restora5on of disrupted services • Business con5nuity planning: Focuses on restoring business opera5ons aKer disaster • Both types of plans needed to iden5fy ﬁrm’s most cri5cal systems and business processes – Business impact analysis to determine impact of an outage – Management must determine • Maximum 5me systems can be down • Which systems must be restored ﬁrst Produced by Dr. Brian Janz 12 The MIS Audit • Examines ﬁrm’s overall security environment as well as controls governing individual informa5on systems • Reviews technologies, procedures, documenta5on, training, and personnel • May even simulate disaster to test response of technology, IS staﬀ, other employees • Lists and ranks all control weaknesses and es5mates probability of their occurrence • Assesses ﬁnancial and organiza5onal impact of each threat Sample Auditor’s List of Control Weaknesses Figure 8-4 Produced by Dr. Brian Janz 13 Chapter 8. Securing Informa5on Systems Part 3. Technology and Tools for Security Technologies and Tools for Security • Access control: Policies and procedures to prevent improper access to systems by unauthorized insiders and outsiders – Authoriza5on – Authen5ca5on • Password systems • Tokens • Smart cards • Biometric authen5ca5on Produced by Dr. Brian Janz 14 Technologies and Tools for Security • Firewall: Hardware and/or soKware to prevent unauthorized access to private networks – Screening technologies • Packet ﬁltering: examines speciﬁc packets for authen5city • Stateful inspec5on: ascertains whether packets are part of a dialogue • Network address transla5on (NAT): conceals IP addresses • Applica5on proxy ﬁltering: a soKware “middleman” between sender/ receiver • Intrusion detec5on systems: Monitor vulnerable points on networks to detect and deter intruders – Examines events as they are happening to discover aZacks in progress – Scans the network to ﬁnd paZerns indica5ve of aZacks Technologies and Tools for Security • An5virus and an5‐spyware soKware: – Checks computers for presence of malware and can oKen eliminate it as well – Require con5nual upda5ng • Uniﬁed threat management (UTM) – Comprehensive security management products – Tools include • Firewalls • Intrusion detec5on • VPNs • Web content ﬁltering • An5spam soKware Produced by Dr. Brian Janz 15 Securing Wireless Networks • WEP security can be improved: – Ac5va5ng it – Assigning unique name to network’s SSID – Using it with VPN technology • Wi‐Fi Alliance ﬁnalized WAP2 speciﬁca5on, replacing WEP with stronger standards – Con5nually changing keys – Encrypted authen5ca5on system with central server Encryp5on • Transforming text or data into cipher text that cannot be read by unintended recipients • Two methods for encryp5ng network traﬃc – Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS) – Secure Hypertext Transfer Protocol (S‐HTTP) • Two methods of encryp5on – Symmetric key encryp5on – Public key encryp5on Produced by Dr. Brian Janz 16 Public Key Encryp5on Figure 7-6 Encrypted Digital Cer5ﬁcates • Data ﬁle used to establish the iden5ty of users and electronic assets for protec5on of online transac5ons • Uses a trusted third party, cer5ﬁca5on authority (CA), to validate a user’s iden5ty • CA veriﬁes user’s iden5ty, stores informa5on in a CA server, which generates encrypted digital cer5ﬁcate containing owner ID informa5on, and a copy of owner’s public key Produced by Dr. Brian Janz 17 Digital Cer5ﬁcates Figure 8-7 Ensuring System Availability • Online transac5on processing requires 100% availability, no down5me • Fault‐tolerant computer systems – For con5nuous availability – Contain redundant hardware, soKware, and power supply components to provide con5nuous, uninterrupted service • High‐availability compu5ng – Helps recover quickly from crash – Minimizes, does not eliminate down5me Produced by Dr. Brian Janz 18 Ensuring SoKware Quality • SoKware Metrics: Objec5ve assessments of system in form of quan5ﬁed measurements – Number of transac5ons – Online response 5me – Payroll checks printed per hour – Known bugs per hundred lines of code • Tes5ng: Early and regular tes5ng – Walkthrough: Review of speciﬁca5on or design document by small group of qualiﬁed people – Debugging: Process by which errors are eliminated Produced by Dr. Brian Janz 19 ...
View Full Document
This note was uploaded on 02/24/2011 for the course MIS 7650 taught by Professor Janz during the Spring '11 term at U. Memphis.
- Spring '11