Upload
patrick
View
226
Download
0
Embed Size (px)
Citation preview
7/23/2019 Ch08 Securing Information Systems
1/43
8.1 2010 by Pearson
8Chapter
Securing InformationSecuring InformationSystemsSystems
7/23/2019 Ch08 Securing Information Systems
2/43
8.2 2010 by Pearson
LEARNING !"EC#I$ES
E%p&ain 'hy information systems are (u&nera)&e to*estruction+ error+ an* a)use.
Assess the )usiness (a&ue of security an* contro&.
I*entify the components of an organi,ationa&frame'or- for security an* contro&.
E(a&uate the most important too&s an* techno&ogiesfor safeguar*ing information resources.
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
7/23/2019 Ch08 Securing Information Systems
3/43
8./ 2010 by Pearson
!oston Ce&tics Score !ig 0oints Against Spy'are
0ro)&emSpy'are infecting &aptops *uring team tra(e&affecting accessi)i&ity an* performance of proprietarysystem
So&utions ep&oy security soft'are to re*uce spy'are.
i3 Net'or-4s 5e)gate security app&iance too& sits)et'een corporate fire'a&& an* net'or- to pre(ent spy'areentering net'or- or infecte* computers connecting tonet'or-
emonstrates I#4s ro&e in com)ating ma&icious soft'are
I&&ustrates *igita& techno&ogy4s ro&e in achie(ing security onthe 5e)
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
7/23/2019 Ch08 Securing Information Systems
4/43
8.6 2010 by Pearson
System $u&nera)i&ity an* A)use
Security
Policies, procedures and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to
information systems
Contro&s
Methods, policies, and organizational procedures that ensure
safety of organizations assets; accuracy and reliability of its
accounting records; and operational adherence tomanagement standards
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
7/23/2019 Ch08 Securing Information Systems
5/43
8.3 2010 by Pearson
5hy systems are (u&nera)&e
7ar*'are pro)&ems
rea!do"ns, configuration errors, damage from improper
use or crime
Soft'are pro)&ems
Programming errors, installation errors, unauthorized
changes#
isasters
Po"er failures, flood, fires, etc$
se of net'or-s an* computers outsi*e offirm4s contro&
%$g$, "ith domestic or offshore outsourcing vendors
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
6/43
8.9 2010 by Pearson
Contemporary Security Cha&&enges an* $u&nera)i&itiesContemporary Security Cha&&enges an* $u&nera)i&ities
:igure 8;1
#he architecture of a 5e);)ase* app&ication typica&&y inc&u*es a 5e) c&ient+ a ser(er+ an* corporate informationsystems &in-e* to *ata)ases. Each of these components presents security cha&&enges an* (u&nera)i&ities.:&oo*s+ fires+ po'er fai&ures+ an* other e&ectrica& pro)&ems can cause *isruptions at any point in the net'or-.
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
7/438.< 2010 by Pearson
Internet (u&nera)i&ities
Net'or- open to anyone
Si,e of Internet means a)uses can ha(e 'i*e impact
se of fi%e* Internet a**resses 'ith permanent
connections to Internet eases i*entification )y hac-ers
E;mai& attachments
E;mai& use* for transmitting tra*e secrets
I messages &ac- security+ can )e easi&y intercepte*
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
8/438.8 2010 by Pearson
5ire&ess security cha&&enges Ra*io fre=uency )an*s easy to scan
SSIs >ser(ice set i*entifiers?
&dentify access points
roadcast multiple times 5ar *ri(ing
%avesdroppers drive by buildings and try to intercept net"or! traffic
'hen hac!er gains access to ((&), has access to net"or!sresources
5E0 >5ire* E=ui(a&ent 0ri(acy? (ecurity standard for *02$11
asic specification uses shared pass"ord for both users and accesspoint
+sers often fail to use security features
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
9/438.@ 2010 by Pearson
5i;:i Security Cha&&enges5i;:i Security Cha&&enges
:igure 8;2any 5i;:i net'or-s can )epenetrate* easi&y )y intru*ersusing sniffer programs to o)tainan a**ress to access theresources of a net'or- 'ithoutauthori,ation.
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
10/438.1 2010 by Pearson
Rea* the Interacti(e Session rgani,ations an* then*iscuss the fo&&o'ing =uestions
List an* *escri)e the security contro& 'ea-nesses at #"BCompanies
5hat management+ organi,ation+ an* techno&ogy factorscontri)ute* to these 'ea-nesses
5hat 'as the )usiness impact of #"B4s *ata &oss on #"B+consumers+ an* )an-s
7o' effecti(e&y *i* #"B *ea& 'ith these pro)&ems 5ho shou&* )e he&* &ia)&e for the &osses cause* )y the use of
frau*u&ent cre*it car*s in this case #he )an-s issuing thecar*s or the consumers "ustify your ans'er.
5hat so&utions 'ou&* you suggest to pre(ent the pro)&ems
#he 5orst ata #heft E(er#he 5orst ata #heft E(er
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
11/43
7/23/2019 Ch08 Securing Information Systems
12/43
7/23/2019 Ch08 Securing Information Systems
13/438.1/ 2010 by Pearson
Spoofing
Misrepresenting oneself by using fa!e e.mail addresses or
mas/uerading as someone else
edirecting 'eb lin! to address different from intended one,
"ith site mas/uerading as intended destination Sniffer %avesdropping program that monitors information
traveling over net"or!
enia&;of;ser(ice attac-s >oS? looding server "iththousands of false re/uests to crash the net"or!
istri)ute* *enia&;of;ser(ice attac-s >oS? +se ofnumerous computers to launch a )o(
!otnets et"or!s of zombie3 P4s infiltrated by bot mal"are
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
14/438.16 2010 by Pearson
Computer crime
)efined as any violations of criminal la" that involve a
!no"ledge of computer technology for their perpetration,
investigation, or prosecution3
Computer may )e target of crime+ e.g.
reaching confidentiality of protected computerized data
5ccessing a computer system "ithout authority
Computer may )e instrument of crime+ e.g. 6heft of trade secrets
+sing e.mail for threats or harassment
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
15/43
f S
7/23/2019 Ch08 Securing Information Systems
16/438.19 2010 by Pearson
C&ic- frau*
&ndividual or computer program clic!s online ad
"ithout any intention of learning more or ma!ing a
purchase G&o)a& threats ; Cy)erterrorism an* cy)er'arfare
4oncern that &nternet vulnerabilities and other
net"or!s ma!e digital net"or!s easy targets for
digital attac!s by terrorists, foreign intelligence
services, or other groups
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
t I f ti S t
7/23/2019 Ch08 Securing Information Systems
17/438.1< 2010 by Pearson
Interna& threats F Emp&oyees
Security threats often originate insi*e an
organi,ation
Insi*e -no'&e*ge
S&oppy security proce*ures
+ser lac! of !no"ledge
Socia& engineering 6ric!ing employees into revealing their pass"ords by
pretending to be legitimate members of the company
in need of information
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
t I f ti S t t I f ti S t
7/23/2019 Ch08 Securing Information Systems
18/438.18 2010 by Pearson
Soft'are (u&nera)i&ity
Commercia& soft'are contains f&a's that createsecurity (u&nera)i&ities
8idden bugs 7program code defects# 9ero defects cannot be achieved because complete
testing is not possible "ith large programs
la"s can open net"or!s to intruders
0atches :endors release small pieces of soft"are to repair fla"s
8o"ever, amount of soft"are in use can mean e-ploits
created faster than patches be released and implemented
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
System $u&nera)i&ity an* A)use
7/23/2019 Ch08 Securing Information Systems
19/43
7/23/2019 Ch08 Securing Information Systems
20/43
t I f ti S t t I f ti S t
7/23/2019 Ch08 Securing Information Systems
21/43
8.21 2010 by Pearson
E&ectronic e(i*ence
E(i*ence for 'hite co&&ar crimes often foun* in*igita& form
)ata stored on computer devices, e.mail, instant messages,
e.commerce transactions
0roper contro& of *ata can sa(e time+ money 'henrespon*ing to &ega& *isco(ery re=uest
Computer forensics
(cientific collection, e-amination, authentication, preservation,
and analysis of data from computer storage media for use as
evidence in court of la"
&ncludes recovery of ambient and hidden data
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
!usiness $a&ue of Security an* Contro&
t I f ti S tanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
22/43
8.22 2010 by Pearson
Esta)&ishing a :rame'or- for Security an* Contro&
Information systems contro&s Genera& contro&s
overn design, security, and use of computer programs
and data throughout organizations &6 infrastructure
4ombination of hard"are, soft"are, and manual
procedures to create overall control environment
6ypes of general controls
Soft'are contro&s
7ar*'are contro&s
Computer operations contro&s
ata security contro&s
Imp&ementation contro&s
A*ministrati(e contro&s
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
anagement Information S stemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
23/43
8.2/ 2010 by Pearson
App&ication contro&s
(pecific controls uni/ue to each computerized application,
such as payroll or order processing
&nclude both automated and manual procedures
%nsure that only authorized data are completely and
accurately processed by that application
6ypes of application controls12+3? /+23+3? 1+22+1? 1@+9@8
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
Esta)&ishing a :rame'or- for Security an* Contro&
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
25/43
8.23 2010 by Pearson
Security po&icy
an!sinformation ris!s, identifies acceptable security goals,and identifies mechanisms for achieving these goals
)rives other policies
Accepta)&e use po&icy >A0? )efines acceptable usesof firms information resources and computing e/uipment
Authori,ation po&icies )etermine differing levels of useraccess to information assets
Authori,ation management systems
5llo" each user access only to those portions of system that
person is permitted to enter, based on information established
by set of access rules, profile
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
Esta)&ishing a :rame'or- for Security an* Contro&
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
26/43
8.29 2010 by Pearson
Security 0rofi&es for a 0ersonne& SystemSecurity 0rofi&es for a 0ersonne& System
:igure 8;/#hese t'o e%amp&esrepresent t'o securityprofi&es or *ata securitypatterns that might )efoun* in a personne&system. epen*ing onthe security profi&e+ auser 'ou&* ha(e certainrestrictions on access to(arious systems+&ocations+ or *ata in anorgani,ation.
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
Esta)&ishing a :rame'or- for Security an* Contro&
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
27/43
8.2< 2010 by Pearson
isaster reco(ery p&anning )evises plans forrestoration of disrupted services
!usiness continuity p&anning ocuses on restoringbusiness operations after disaster
oth types of plans needed to identify firms most
critical systems and business processes
usiness impact analysis to determine impact of an outage
Management must determine
Ma-imum time systems can be do"n
'hich systems must be restored first
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
Esta)&ishing a :rame'or- for Security an* Contro&
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
28/43
8.28 2010 by Pearson
IS au*it
%-amines firms overall security environment as "ell as
controls governing individual information systems
evie"s technologies, procedures, documentation, training,
and personnel
May even simulate disaster to test response of technology, &(
staff, other employees
=ists and ran!s all control "ea!nesses and estimates
probability of their occurrence
5ssesses financial and organizational impact of each threat
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
Esta)&ishing a :rame'or- for Security an* Contro&
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
29/43
8.2@ 2010 by Pearson
Samp&e Au*itor4s List of Contro& 5ea-nessesSamp&e Au*itor4s List of Contro& 5ea-nesses
:igure 8;6#his chart is a samp&e page froma &ist of contro& 'ea-nesses thatan au*itor might fin* in a &oansystem in a &oca& commercia&)an-. #his form he&ps au*itorsrecor* an* e(a&uate contro&'ea-nesses an* sho's theresu&ts of *iscussing those'ea-nesses 'ith management+as 'e&& as any correcti(e actionsta-en )y management.
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
Esta)&ishing a :rame'or- for Security an* Contro&
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
30/43
8./ 2010 by Pearson
#echno&ogies an* #oo&s for Security
Access contro& 0o&icies an* proce*ures to pre(entimproper access to systems )y unauthori,e*insi*ers an* outsi*ers
Authori,ation
Authentication
0ass'or* systems
#o-ens
Smart car*s
!iometric authentication
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
31/43
8./1 2010 by Pearson
:ire'a&& 8ard"are and>or soft"are to preventunauthorized access to private net"or!s
(creening technologies
Pac!et filtering
(tateful inspection
et"or! address translation 756#
5pplication pro-y filtering
Intrusion *etection systems Monitor vulnerable
points on net"or!s to detect and deter intruders %-amines events as they are happening to discover attac!s
in progress
(cans net"or! to find patterns indicative of attac!s
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
#echno&ogies an* #oo&s for Security
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
32/43
8./2 2010 by Pearson
A Corporate :ire'a&&A Corporate :ire'a&&
anagement Information Systemsanagement Information SystemsChapter 8 Securing Information SystemsChapter 8 Securing Information Systems
#echno&ogies an* #oo&s for Security
#he fire'a&& is p&ace* )et'een the firm4s pri(atenet'or- an* the pu)&ic Internet or another*istruste* net'or- to protect againstunauthori,e* traffic.
:igure 8;3
7/23/2019 Ch08 Securing Information Systems
33/43
7/23/2019 Ch08 Securing Information Systems
34/43
7/23/2019 Ch08 Securing Information Systems
35/43
7/23/2019 Ch08 Securing Information Systems
36/43
7/23/2019 Ch08 Securing Information Systems
37/43
anagement Information Systemsanagement Information Systems
7/23/2019 Ch08 Securing Information Systems
38/43
8./8 2010 by Pearson
igita& Certificatesigita& Certificates
:igure 8;