Ch08 Securing Information Systems

7/23/2019 Ch08 Securing Information Systems

1/43

8.1 2010 by Pearson

8Chapter

Securing InformationSecuring InformationSystemsSystems


2/43

8.2 2010 by Pearson

LEARNING !"EC#I$ES

E%p&ain 'hy information systems are (u&nera)&e to*estruction+ error+ an* a)use.

Assess the )usiness (a&ue of security an* contro&.

I*entify the components of an organi,ationa&frame'or- for security an* contro&.

E(a&uate the most important too&s an* techno&ogiesfor safeguar*ing information resources.

anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems


3/43

8./ 2010 by Pearson

!oston Ce&tics Score !ig 0oints Against Spy'are

0ro)&emSpy'are infecting &aptops *uring team tra(e&affecting accessi)i&ity an* performance of proprietarysystem

So&utions ep&oy security soft'are to re*uce spy'are.

i3 Net'or-4s 5e)gate security app&iance too& sits)et'een corporate fire'a&& an* net'or- to pre(ent spy'areentering net'or- or infecte* computers connecting tonet'or-

emonstrates I#4s ro&e in com)ating ma&icious soft'are

I&&ustrates *igita& techno&ogy4s ro&e in achie(ing security onthe 5e)



4/43

8.6 2010 by Pearson

System $u&nera)i&ity an* A)use

Security

Policies, procedures and technical measures used to prevent

unauthorized access, alteration, theft, or physical damage to

information systems

Contro&s

Methods, policies, and organizational procedures that ensure

safety of organizations assets; accuracy and reliability of its

accounting records; and operational adherence tomanagement standards



5/43

8.3 2010 by Pearson

5hy systems are (u&nera)&e

7ar*'are pro)&ems

rea!do"ns, configuration errors, damage from improper

use or crime

Soft'are pro)&ems

Programming errors, installation errors, unauthorized

changes#

isasters

Po"er failures, flood, fires, etc$

se of net'or-s an* computers outsi*e offirm4s contro&

%$g$, "ith domestic or offshore outsourcing vendors




6/43

8.9 2010 by Pearson

Contemporary Security Cha&&enges an* $u&nera)i&itiesContemporary Security Cha&&enges an* $u&nera)i&ities

:igure 8;1

#he architecture of a 5e);)ase* app&ication typica&&y inc&u*es a 5e) c&ient+ a ser(er+ an* corporate informationsystems &in-e* to *ata)ases. Each of these components presents security cha&&enges an* (u&nera)i&ities.:&oo*s+ fires+ po'er fai&ures+ an* other e&ectrica& pro)&ems can cause *isruptions at any point in the net'or-.




7/438.< 2010 by Pearson

Internet (u&nera)i&ities

Net'or- open to anyone

Si,e of Internet means a)uses can ha(e 'i*e impact

se of fi%e* Internet a**resses 'ith permanent

connections to Internet eases i*entification )y hac-ers

E;mai& attachments

E;mai& use* for transmitting tra*e secrets

I messages &ac- security+ can )e easi&y intercepte*




8/438.8 2010 by Pearson

5ire&ess security cha&&enges Ra*io fre=uency )an*s easy to scan

SSIs >ser(ice set i*entifiers?

&dentify access points

roadcast multiple times 5ar *ri(ing

%avesdroppers drive by buildings and try to intercept net"or! traffic

'hen hac!er gains access to ((&), has access to net"or!sresources

5E0 >5ire* E=ui(a&ent 0ri(acy? (ecurity standard for *02$11

asic specification uses shared pass"ord for both users and accesspoint

+sers often fail to use security features




9/438.@ 2010 by Pearson

5i;:i Security Cha&&enges5i;:i Security Cha&&enges

:igure 8;2any 5i;:i net'or-s can )epenetrate* easi&y )y intru*ersusing sniffer programs to o)tainan a**ress to access theresources of a net'or- 'ithoutauthori,ation.




10/438.1 2010 by Pearson

Rea* the Interacti(e Session rgani,ations an* then*iscuss the fo&&o'ing =uestions

List an* *escri)e the security contro& 'ea-nesses at #"BCompanies

5hat management+ organi,ation+ an* techno&ogy factorscontri)ute* to these 'ea-nesses

5hat 'as the )usiness impact of #"B4s *ata &oss on #"B+consumers+ an* )an-s

7o' effecti(e&y *i* #"B *ea& 'ith these pro)&ems 5ho shou&* )e he&* &ia)&e for the &osses cause* )y the use of

frau*u&ent cre*it car*s in this case #he )an-s issuing thecar*s or the consumers "ustify your ans'er.

5hat so&utions 'ou&* you suggest to pre(ent the pro)&ems

#he 5orst ata #heft E(er#he 5orst ata #heft E(er




11/43


12/43


13/438.1/ 2010 by Pearson

Spoofing

Misrepresenting oneself by using fa!e e.mail addresses or

mas/uerading as someone else

edirecting 'eb lin! to address different from intended one,

"ith site mas/uerading as intended destination Sniffer %avesdropping program that monitors information

traveling over net"or!

enia&;of;ser(ice attac-s >oS? looding server "iththousands of false re/uests to crash the net"or!

istri)ute* *enia&;of;ser(ice attac-s >oS? +se ofnumerous computers to launch a )o(

!otnets et"or!s of zombie3 P4s infiltrated by bot mal"are




14/438.16 2010 by Pearson

Computer crime

)efined as any violations of criminal la" that involve a

!no"ledge of computer technology for their perpetration,

investigation, or prosecution3

Computer may )e target of crime+ e.g.

reaching confidentiality of protected computerized data

5ccessing a computer system "ithout authority

Computer may )e instrument of crime+ e.g. 6heft of trade secrets

+sing e.mail for threats or harassment




15/43

f S


16/438.19 2010 by Pearson

C&ic- frau*

&ndividual or computer program clic!s online ad

"ithout any intention of learning more or ma!ing a

purchase G&o)a& threats ; Cy)erterrorism an* cy)er'arfare

4oncern that &nternet vulnerabilities and other

net"or!s ma!e digital net"or!s easy targets for

digital attac!s by terrorists, foreign intelligence

services, or other groups



t I f ti S t


17/438.1< 2010 by Pearson

Interna& threats F Emp&oyees

Security threats often originate insi*e an

organi,ation

Insi*e -no'&e*ge

S&oppy security proce*ures

+ser lac! of !no"ledge

Socia& engineering 6ric!ing employees into revealing their pass"ords by

pretending to be legitimate members of the company

in need of information



t I f ti S t t I f ti S t


18/438.18 2010 by Pearson

Soft'are (u&nera)i&ity

Commercia& soft'are contains f&a's that createsecurity (u&nera)i&ities

8idden bugs 7program code defects# 9ero defects cannot be achieved because complete

testing is not possible "ith large programs

la"s can open net"or!s to intruders

0atches :endors release small pieces of soft"are to repair fla"s

8o"ever, amount of soft"are in use can mean e-ploits

created faster than patches be released and implemented




19/43


20/43

t I f ti S t t I f ti S t


21/43

8.21 2010 by Pearson

E&ectronic e(i*ence

E(i*ence for 'hite co&&ar crimes often foun* in*igita& form

)ata stored on computer devices, e.mail, instant messages,

e.commerce transactions

0roper contro& of *ata can sa(e time+ money 'henrespon*ing to &ega& *isco(ery re=uest

Computer forensics

(cientific collection, e-amination, authentication, preservation,

and analysis of data from computer storage media for use as

evidence in court of la"

&ncludes recovery of ambient and hidden data


!usiness $a&ue of Security an* Contro&

t I f ti S tanagement Information Systems


22/43


Esta)&ishing a :rame'or- for Security an* Contro&

Information systems contro&s Genera& contro&s

overn design, security, and use of computer programs

and data throughout organizations &6 infrastructure

4ombination of hard"are, soft"are, and manual

procedures to create overall control environment

6ypes of general controls

Soft'are contro&s

7ar*'are contro&s

Computer operations contro&s

ata security contro&s

Imp&ementation contro&s

A*ministrati(e contro&s


anagement Information S stemsanagement Information Systems


23/43

8.2/ 2010 by Pearson

App&ication contro&s

(pecific controls uni/ue to each computerized application,

such as payroll or order processing

&nclude both automated and manual procedures

%nsure that only authorized data are completely and

accurately processed by that application

6ypes of application controls12+3? /+23+3? 1+22+1? 1@+9@8



anagement Information Systemsanagement Information Systems


25/43


Security po&icy

an!sinformation ris!s, identifies acceptable security goals,and identifies mechanisms for achieving these goals

)rives other policies

Accepta)&e use po&icy >A0? )efines acceptable usesof firms information resources and computing e/uipment

Authori,ation po&icies )etermine differing levels of useraccess to information assets

Authori,ation management systems

5llo" each user access only to those portions of system that

person is permitted to enter, based on information established

by set of access rules, profile





26/43


Security 0rofi&es for a 0ersonne& SystemSecurity 0rofi&es for a 0ersonne& System

:igure 8;/#hese t'o e%amp&esrepresent t'o securityprofi&es or *ata securitypatterns that might )efoun* in a personne&system. epen*ing onthe security profi&e+ auser 'ou&* ha(e certainrestrictions on access to(arious systems+&ocations+ or *ata in anorgani,ation.





27/43

8.2< 2010 by Pearson

isaster reco(ery p&anning )evises plans forrestoration of disrupted services

!usiness continuity p&anning ocuses on restoringbusiness operations after disaster

oth types of plans needed to identify firms most

critical systems and business processes

usiness impact analysis to determine impact of an outage

Management must determine

Ma-imum time systems can be do"n

'hich systems must be restored first





28/43


IS au*it

%-amines firms overall security environment as "ell as

controls governing individual information systems

evie"s technologies, procedures, documentation, training,

and personnel

May even simulate disaster to test response of technology, &(

staff, other employees

=ists and ran!s all control "ea!nesses and estimates

probability of their occurrence

5ssesses financial and organizational impact of each threat





29/43

8.2@ 2010 by Pearson

Samp&e Au*itor4s List of Contro& 5ea-nessesSamp&e Au*itor4s List of Contro& 5ea-nesses

:igure 8;6#his chart is a samp&e page froma &ist of contro& 'ea-nesses thatan au*itor might fin* in a &oansystem in a &oca& commercia&)an-. #his form he&ps au*itorsrecor* an* e(a&uate contro&'ea-nesses an* sho's theresu&ts of *iscussing those'ea-nesses 'ith management+as 'e&& as any correcti(e actionsta-en )y management.





30/43

8./ 2010 by Pearson

#echno&ogies an* #oo&s for Security

Access contro& 0o&icies an* proce*ures to pre(entimproper access to systems )y unauthori,e*insi*ers an* outsi*ers

Authori,ation

Authentication

0ass'or* systems

#o-ens

Smart car*s

!iometric authentication




31/43

8./1 2010 by Pearson

:ire'a&& 8ard"are and>or soft"are to preventunauthorized access to private net"or!s

(creening technologies

Pac!et filtering

(tateful inspection

et"or! address translation 756#

5pplication pro-y filtering

Intrusion *etection systems Monitor vulnerable

points on net"or!s to detect and deter intruders %-amines events as they are happening to discover attac!s

in progress

(cans net"or! to find patterns indicative of attac!s





32/43


A Corporate :ire'a&&A Corporate :ire'a&&



#he fire'a&& is p&ace* )et'een the firm4s pri(atenet'or- an* the pu)&ic Internet or another*istruste* net'or- to protect againstunauthori,e* traffic.

:igure 8;3


33/43


34/43


35/43


36/43


37/43



38/43


igita& Certificatesigita& Certificates

:igure 8;

Documents

Ch08 Securing Information Systems