Bis Chapter15

Chapter 15

Managing information security

Topics

1. The need for controls2. Control strategies

3. Types of controls

4. Techniques for controlling IS

5. Threats related to Internet services

The need for controls

Controls upon information systems are based upon two underlying principles:

• The need to ensure the accuracy of the data held by the organization

• The need to protect against loss or damage

The need for controls (Continued)

The most common threats faced by organizational information systems can be placed into the following categories:

• Accidents• Natural Disasters• Sabotage (Industrial and Individual)• Vandalism• Theft• Unauthorised Use (Hacking)• Computer Viruses (to be discussed later)


Accidents – due to human error

Ways in which human errors can occur include:

• Inaccurate data entry

• Attempts to carry out tasks beyond the ability of the employee

• Failure to comply with procedures for the use of the organizational information systems

• Failure to carry out backup procedures or verify data backups.


Natural disasters• All information systems are susceptible to

damage caused by natural phenomena such as storms, lightning strikes, floods and earthquakes.

Sabotage• With regard to information systems,

sabotage may be deliberate or unintentional and carried out on an individual basis or as an act of industrial sabotage.


Vandalism• Deliberate damage caused to hardware,

software and data is considered a serious threat to information systems security.

Theft• As with vandalism, the loss of important

hardware, software or data can have significant effects on an organization’s effectiveness.

• Theft can be divided into two basic categories: physical theft and data theft.


• Physical theft involves the theft of hardware and software.

• Data theft involves stealing sensitive information or making unauthorized changes to computer records.

Unauthorized use• One of the most common security risks in

relation to computerized information systems is the danger of unauthorized access to confidential data.


• A hacker is a person who attempts to gain unauthorized access to a computer-based information system, usually via a telecommunications link.

• A cracker is a person who gains access to an information systems for malicious reasons.


Hackers can be considered to fall into one of three categories:

1. Those who wish to demonstrate their computer skills by outwitting the designers of a particular system.

2. Those who wish to gain some form of benefit *usually financial) by stealing, altering or deleting confidential information.

3. Those who wish to cause malicious damage to an information system, perhaps as an act of revenge against a former employer.

Topics

1. The need for controls

2. Control strategies3. Types of controls



Control strategies

• Strategies for reducing threats to information systems are discussed.

• There are four major approaches that can be taken to ensure the integrity of information systems.

• These are 1. Containment

2. Deterrence

3. Obfuscation

4. Recovery

Control strategies (Continued)

Containment• The strategy of containment attempts to control

access to an information system. There are 3 approaches.

1. Making potential targets as unattractive as possible.

– This could be done by creating the impression that the target IS contains data of little or no value.

2. Creating an effective series of defences against potential threats.

– If the expense, time and effort required to gain access to the information system is grater than any benefits derived from gaining access, then intrusion becomes less likely.


3. Removing the target information system from potential threats.

– Typical ways in which this might be achieved include distributing asses across a large geographical area, distributing important data across the entire organization or isolating important systems.


DeterrenceA strategy based upon deterrence uses the threat of

punishment to discourage potential intruders.The overall approach is one of anticipating and

countering the motives of those most likely to threaten the security of the system.

• Constantly advertising and reinforcing the penalties for unauthorized access.

• Attempting to detect potential threats as early as possible, e.g. by monitoring patterns of IS usage and investigating all anomalies.

• Predicting likely areas of attack and then implementing appropriate defences or countermeasures.


• Obfuscation concerns itself with hiding or distributing assets so that any damage caused can be limited.– Monitoring all of the organization’s activities,

not just those related to the use of its IS.– Carrying out regular audits of data, hardware,

software and security measures.


Recovery• A strategy based upon recovery recognizes that, no

matter how well defended, a breach in the security of an IS will eventually occur.

• Such a strategy is largely concerned with ensuring that the normal operation of the IS is restored as quickly as possible, with as little disruption to the organization as possible.

• In anticipating damage or loss, a great deal of emphasis is placed upon backup procedures and recovery measures.

• In large organizations, a backup site might be created, so that data processing can be switched to a secondary site immediately in the event of an emergency.

Topics


2. Control strategies

3. Types of controls4. Techniques for controlling IS


Types of controls

There are five major categories of controls that can be applied to IS.

These are:

• Physical protection

• Biometric controls

• Telecommunications controls

• Failure controls

• Auditing

Types of controls (Continued)

Physical protection

Involves the use of physical barriers intended to protect against theft and unauthorized access.

Biometric controls

These controls make use of the unique characteristics of individuals in order to restrict access to sensitive information or equipment.

Scanners that check fingerprints, voice prints or even retinal patterns are examples of biometric controls.


Telecommunications controls• These controls help to verify the identity of a

particular user.• Common types include passwords and user

validation routines.Failure controls• These controls attempt to limit or avoid damage

caused by the failure of an information system.• Typical examples include recovery procedures and

regular backups of data.


Auditing

• Auditing involves taking stock of procedures, hardware, software and data at regular intervals.

• Audits can be carried out automatically with an appropriate program.

• Auditing software works by scanning the hard disk drives of any computers, terminals and servers attached to a network system.

Topics




4. Techniques for controlling IS5. Threats related to Internet services

Techniques for controlling IS

Common techniques are:

1. Formal security policies

2. Passwords

3. Encryption

4. Organizational procedures governing the use of IS

5. User validation techniques

6. Backup procedures


1. Formal security policy• The simplest and most effective control is the

formulation of a comprehensive policy on security.

• Once the policy has been formulated, it must be publicized in order for it to become effective.

• The support of management is essential in order to ensure that employees adhere to the guidelines contained within the policy.


2. Passwords• The password represents one of the most common forms of

protection.• Passwords provide a number of benefits.

– It provides a simple, inexpensive means of restricting access to equipment and sensitive data.

– Access to the system can be divided into levels by issuing different passwords to employees based on their positions and the work they carry out.

– The actions of an employee can be regulated and supervised by monitoring the use of their password.

– If a password is discovered or stolen by an external party, it should be possible to limit any damage arising as a result.

– The use of passwords can encourage employees to take some of the responsibility for the overall security of the system.

Techniques for controlling IS (Continued)

3. Encryption

• An addition layer of protection for sensitive data can be provided by making use of encryption techniques.

• Modern encryption methods rely upon the use of one or more keys.

• Without the correct key, any encrypted data is meaningless – and therefore of no value – to a potential thief.


4. Procedures• Under normal circumstances, a set of procedures

for the use of an IS will arise from the creation of a formal security policy.

• Such procedures describe in detail the correct operation of the system and responsibilities of users.

• The procedures should highlight issues related to security, should explain some of the reasoning behind them and should also describe the penalties for failing to comply with instructions.


5. User validation

• It involves checks made to ensure the user is permitted access to a system.

• It involves user names and passwords and can also include biometric techniques.


6. Backup procedures

• One of the most common methods of protecting valuable data is to use the “grandfather, father, son” technique.

• A rotating set of backup disks or tapes are used so that three different versions of the same data are held at any one time.

• Table 15.2 illustrates the operation of the “grandfather, father, son” method.

Table 15.2 The “grandfather, father, son” backup method

Day 1 Day 2 Day 3

Disk 1

Grandfather

Disk 2

Grandfather

Disk 3

Grandfather

Disk 2

Father

Disk 3

Father

Disk 1

Father

Disk 3

Son

Disk 1

Son

Disk 2

Son

Malware

• The term “malware” (Malicious software) is a generic term for software intended to gather confidential information from a computer system, or cause harm to valuable data.

• In general, malware can be broken down into a number of categories:– Computer viruses– Trojans and key loggers– Spyware

Computer viruses

• A computer virus is a computer program that is capable of self-replication, allowing it to spread from one ‘infected’ machine to another.

• All viruses should be considered to be harmful.

• Even if a virus program does nothing more than reproduce itself, it may still cause system crashes and data loss.

Types of viruses (Continued)

• Two other kinds of programs are related to computer viruses: worms and Trojans.

• A worm is a small program that moves through a computer system randomly changing or overwriting pieces of data as it moves.

• A Trojan appears as a legitimate program in order to gain access to a computer system.– Trojans are often used as delivery systems for

computer viruses.– They appeared to be a genuine good program

but was actually delivering destructive computer virus.

Spyware

• Spyware represents a new type of threat for business and home users.

• Spyware describes a category of software designed to capture and record confidential information without a user’s knowledge or consent.

• Example: A software called key loggers record every key pressed by a user. This software can be used to collect passwords and other information such as the contents of documents and email messages over a period of time.

Spyware (Continued)

• Spyware is also produced and disseminated as adware (advertising-supported software).

• Adware describes a type of software that contains spyware intended to monitor a user’s online activities, usually so that advertising can be targeted more accurately.

• Adware monitor how people use their computers and the Internet.

• It collects information such as details of any websites visited, and reports back to a central server.

Topics






Threats related to Internet services

Denial of service (DoS)• This is a form of attack on company information

systems that involves flooding the company’s Internet servers with huge amounts of traffic.

• Such attacks effectively halt all of the company’s Internet activities.

Identity theft and brand abuse• Identity theft involves using another person’s

identity to carry out acts that range from sending libelous email to make fraudulent purchases.

Threats related to Internet services (Continued)

ExtortionVarious approaches can be used to extort money from companies.

1. Cybersquatting involves registering an Internet domain that a company or celebrity is likely to want to own.

2. A more common form of extortion usually occurs after a security breach in which sensitive company information has been obtained. Often, the threat involves making the information available to competitors or the public unless payment is made.


Abuse of resources• Organizations have always needed to ensure

that employees do not take advantage of company resources for personal reasons.

• Whilst certain acts, such as sending the occasional personal emails, are tolerated by most companies, the increased availability of Internet access and email facilities increases the risk that such facilities may be abused.


Other risks• Cyber-terrorism describes attacks made on information

systems that are motivated by political or religious beliefs.

• Online stock fraud -- Most online stock fraud involves posting false information to the Internet in order to increase or decrease the values of stocks.

• Social engineering – This involves tricking people into providing information that can be used to gain access to a computer system.

• Phishing – A relatively new development, phishing involves attempting to gather confidential information through taking email message web websites.

Managing threats to Internet services

• Recently, a range of specialized software applications have appeared that help individuals and companies maintain the security of their systems. Examples include:

• Firewalls. Firewalls act as a barrier between an information system and the Internet. The software attempts to monitor and control all incoming and outgoing traffic in an attempt to prevent outsiders gaining access to the information system.

• Firewall is a specialized software application mounted on a server at the point the company is connected to the Internet to prevent unauthorized access into the company from outsiders.

Managing threats to Internet services (Continued)

• Intrusion detection software. This type of software monitors activity on a network in order to identify intruders. Typically, the software will look for characteristic patterns of behaviour that might identify the fact that someone has gained access to the network.

• AI software. Many organizations have begun to develop applications that use artificial intelligence in order to detect intrusion attempts or unusual activity that might indicate a breach in security.

Technology

Bis Chapter15