View
219
Download
0
Category
Tags:
Preview:
Citation preview
11
I.I. Assets and TreatsAssets and Treats
Information System Assets That Must Be ProtectedInformation System Assets That Must Be Protected
PeoplePeople HardwareHardware SoftwareSoftware
Operating systemsOperating systems ApplicationsApplications
DataData NetworksNetworks
Chapter 17Chapter 17Controls and Security MeasuresControls and Security Measures
22
Main Sources of Security ThreatsMain Sources of Security Threats
Hardware failureHardware failure Software failure (unknown Software failure (unknown
bug)bug) FireFire Electrical problemElectrical problem Natural disaster (flood, Natural disaster (flood,
hurricane, tornado, etc.)hurricane, tornado, etc.) Alteration or destruction Alteration or destruction
of dataof data
Human errorHuman error Unauthorized access Unauthorized access
(internal or external)(internal or external) Theft of data, information, Theft of data, information,
services, equipment, or services, equipment, or moneymoney
Telecommunications Telecommunications problemsproblems
Computer virusesComputer viruses
33
II. Classifications For ControlsII. Classifications For Controls
Classification 1Classification 1 Preventive controlPreventive control – a constraint designed to – a constraint designed to
prevent a security risk from occurringprevent a security risk from occurring Use of passwords for systems accessUse of passwords for systems access
Detective controlDetective control – a constraint designed to detect a – a constraint designed to detect a security risk as it occurs security risk as it occurs
Virus detection softwareVirus detection software Corrective controlCorrective control – a constraint designed to correct – a constraint designed to correct
a breach of security after it has occurreda breach of security after it has occurred A disaster recovery planA disaster recovery plan
44
Classifications For ControlsClassifications For Controls
Classification 2Classification 2 General controlsGeneral controls establish a framework for controlling the establish a framework for controlling the
design and use of information system assets and operationsdesign and use of information system assets and operations Software controls – monitor the use of system softwareSoftware controls – monitor the use of system software Hardware controls – provisions for protection from fireHardware controls – provisions for protection from fire Computer operations controls – backup and recovery proceduresComputer operations controls – backup and recovery procedures Data security controls – unauthorized accessData security controls – unauthorized access Implementation controls – audit the systems development processImplementation controls – audit the systems development process Administrative controls – implement procedures to ensure Administrative controls – implement procedures to ensure
controls are properly executed and enforced controls are properly executed and enforced Application controlsApplication controls
Input controls – check data for accuracyInput controls – check data for accuracy Processing controls – establish that data are complete and Processing controls – establish that data are complete and
accurate results are obtainedaccurate results are obtained Output controls – ensure that results are properly distributedOutput controls – ensure that results are properly distributed
55
Management Analysis For Reducing Threats: 1Management Analysis For Reducing Threats: 1
Type of Type of ThreatThreat
Type of ControlType of Control
PreventivePreventive DetectiveDetective CorrectiveCorrective
Hardware Hardware failurefailure
List controlsList controls List controlsList controls List controlsList controls
Software Software failurefailure
List controlsList controls List controlsList controls List controlsList controls
FireFire List controlsList controls List controlsList controls List controlsList controls
66
Management Analysis For Reducing Threats: 2Management Analysis For Reducing Threats: 2
ThreatsThreats
Information Systems AssetInformation Systems Asset
HardwareHardware SoftwareSoftware DataData
Hardware Hardware failurefailure
List controlsList controls List controlsList controls List controlsList controls
Software Software failurefailure
List controlsList controls List controlsList controls List controlsList controls
FireFire List controlsList controls List controlsList controls List controlsList controls
77
III. Risk ManagementIII. Risk Management
Risk managementRisk management consists of consists of the identification of risks or threats the identification of risks or threats the implementation of controlsthe implementation of controls the monitoring of the controls for effectivenessthe monitoring of the controls for effectiveness
Risk assessmentRisk assessment is a risk management activity that is a risk management activity that attempts to determineattempts to determine What can wrong?What can wrong? How likely is it to go wrong?How likely is it to go wrong? What are the consequences if it does go wrong?What are the consequences if it does go wrong?
88
The Economic Aspect of Risk Management - 1The Economic Aspect of Risk Management - 1
Two types of costsTwo types of costs to consider when determining how to consider when determining how much to spend on data security:much to spend on data security: The cost of potential damageThe cost of potential damage The cost of implementing a preventive measureThe cost of implementing a preventive measure
The total cost of potential damageThe total cost of potential damage is the aggregate of all is the aggregate of all the potential damages multiplied by the probability of the potential damages multiplied by the probability of the occurrence of the damage. These numbers can be the occurrence of the damage. These numbers can be difficult to estimate.difficult to estimate.
99
The Economic Aspect of Risk Management -2The Economic Aspect of Risk Management -2
Figure 17.12 The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures.
1010
IV. Telecommunication Network VulnerabilitiesIV. Telecommunication Network Vulnerabilities
Due to the complex and diverse hardware, software, Due to the complex and diverse hardware, software, organizational and personnel arrangements required for organizational and personnel arrangements required for telecommunication networks, there are many areas of telecommunication networks, there are many areas of vulnerabilityvulnerability Natural failures of hardware and softwareNatural failures of hardware and software Misuse by programmers, computer operators, Misuse by programmers, computer operators,
maintenance staff, and end usersmaintenance staff, and end users Tapping of lines and illegal intercepts of dataTapping of lines and illegal intercepts of data Interference such as crosstalk Interference such as crosstalk Interference from radiation of other devicesInterference from radiation of other devices
1111
Special Threats to the InternetSpecial Threats to the Internet
VirusesViruses Web defacingWeb defacing SpoofingSpoofing Denial of service attacksDenial of service attacks HackersHackers
1212
Computer VirusesComputer Viruses
Viruses – a computer virus is software that is written Viruses – a computer virus is software that is written with malicious intent to cause annoyance or damage. with malicious intent to cause annoyance or damage. Viruses can be benign or malignantViruses can be benign or malignant A benign virus displays a message or slows down a A benign virus displays a message or slows down a
computer but does not destroy informationcomputer but does not destroy information A malignant virus can do damage to your computer A malignant virus can do damage to your computer
system such as scrambling or deleting files, shut system such as scrambling or deleting files, shut your computer down, or make applications not your computer down, or make applications not function.function.
Viruses spread by copying infected files from someone Viruses spread by copying infected files from someone else’s disk or by receiving infected files as an email else’s disk or by receiving infected files as an email attachment.attachment.
1313
More On VirusesMore On Viruses A A macro virusmacro virus is a malignant virus that spreads by is a malignant virus that spreads by
binding itself to application software like Word or binding itself to application software like Word or Excel and makes copies of itself (replicates) each time Excel and makes copies of itself (replicates) each time you use the application. If you have such a virus on you use the application. If you have such a virus on your computer you can infect another machine by your computer you can infect another machine by attaching an infected file to an email. The email attaching an infected file to an email. The email recipient infects their machine as soon as they open the recipient infects their machine as soon as they open the attachment.attachment.
WormsWorms are particularly nasty macro viruses because are particularly nasty macro viruses because they spread from computer to computer rather than they spread from computer to computer rather than file to file. Worms do not need your help; worms find file to file. Worms do not need your help; worms find your email address book and send themselves to your your email address book and send themselves to your contacts.contacts.
1414
Other Threats To the InternetOther Threats To the Internet Web defacingWeb defacing – people break into a Web site and replace – people break into a Web site and replace
the site with a substitute site that is neither attractive nor the site with a substitute site that is neither attractive nor complimentary; electronic graffiticomplimentary; electronic graffiti
SpoofingSpoofing – the perpetrator uses flaws in the domain name – the perpetrator uses flaws in the domain name software (DNS) used on the Internet to redirect a potential software (DNS) used on the Internet to redirect a potential Web site visitor to an alternate site that is usually not Web site visitor to an alternate site that is usually not complimentary to the real site owner. This is similar to complimentary to the real site owner. This is similar to someone switching your name with someone else’s in a someone switching your name with someone else’s in a telephone directorytelephone directory
Denial of service attackDenial of service attack (DoS) – this occurs when too may (DoS) – this occurs when too may requests are received to log on a Web site’s page. Multiple requests are received to log on a Web site’s page. Multiple log-on requests are perpetrated by specially designed log-on requests are perpetrated by specially designed software that can automatically generate log-in requests software that can automatically generate log-in requests over a long period of time.over a long period of time.
Distributed denial of service attacksDistributed denial of service attacks (DDoS) are denial of (DDoS) are denial of service attacks that are perpetrated from multiple service attacks that are perpetrated from multiple computerscomputers
1515
HackersHackers
A A hackerhacker is a person who gains unauthorized access to is a person who gains unauthorized access to a computer network for profit, criminal mischief, or a computer network for profit, criminal mischief, or personal pleasure.personal pleasure. Hackers are responsible for computer viruses, Web Hackers are responsible for computer viruses, Web
defacing, spoofing, and denial of service attacksdefacing, spoofing, and denial of service attacks Seventy-three percent of respondents to a survey in Seventy-three percent of respondents to a survey in
1998 of 1600 companies in 50 countries reported 1998 of 1600 companies in 50 countries reported security breaches security breaches 58 % of the breaches were from authorized 58 % of the breaches were from authorized
employeesemployees 24 % of the breaches were from unauthorized 24 % of the breaches were from unauthorized
employeesemployees 13 % of the breaches were from hackers or 13 % of the breaches were from hackers or
terroriststerrorists
1616
Examples of Network/Internet Controls - 1Examples of Network/Internet Controls - 1
Anti-virus softwareAnti-virus software detects and removes or quarantines detects and removes or quarantines computer viruses. You must update your anti-virus computer viruses. You must update your anti-virus software frequently since new viruses come along every software frequently since new viruses come along every day. day.
FirewallsFirewalls are hardware and/or software that protects a are hardware and/or software that protects a computer or network from intruders. Firewalls also can computer or network from intruders. Firewalls also can detect if your computer is communicating with the detect if your computer is communicating with the Internet without your approval Internet without your approval
A A callback controlcallback control verifies a remote user’s telephone verifies a remote user’s telephone number before access is allowed number before access is allowed
1717
Examples of Network/Internet Controls - 2Examples of Network/Internet Controls - 2 Access controlsAccess controls check who you are before you can have check who you are before you can have
access. Ways to check on access are (1) passwords, (2) access. Ways to check on access are (1) passwords, (2) special ID cards, (3) or biometrics (fingerprints, voice, special ID cards, (3) or biometrics (fingerprints, voice, retina of your eye).retina of your eye).
EncryptionEncryption codes a message to prevent unauthorized codes a message to prevent unauthorized access to or understanding of the data being access to or understanding of the data being transmitted. transmitted. For Web transactions SSL and SHTTP are the For Web transactions SSL and SHTTP are the
encryption standards encryption standards When you access data on a secure server the When you access data on a secure server the
communication between your browser and the communication between your browser and the secure server is encryptedsecure server is encrypted
Intrusion-detectionIntrusion-detection software looks for people on a software looks for people on a network who are acting suspiciously (e.g., trying lots of network who are acting suspiciously (e.g., trying lots of passwords)passwords)
1818
Examples of Network/Internet Controls - 3Examples of Network/Internet Controls - 3
Digital signatureDigital signature is a digital code attached to an is a digital code attached to an electronically transmitted message that is used to verify the electronically transmitted message that is used to verify the origins and contents of the message (e.g., similar to a origins and contents of the message (e.g., similar to a written signature)written signature)
Digital certificatesDigital certificates are attachments to an electronic are attachments to an electronic message to verify the identity of the sender and to provide message to verify the identity of the sender and to provide a means to encode a reply.a means to encode a reply.
Load balancingLoad balancing is the process of distributing a large is the process of distributing a large number of access requests among multiple servers so that number of access requests among multiple servers so that no single server is overwhelmedno single server is overwhelmed
1919
Other Controls - 1Other Controls - 1
BackupBackup is the process of making a copy of the information is the process of making a copy of the information stored on a computer. stored on a computer. There is no action that you can that There is no action that you can that is more essential than regular backups. is more essential than regular backups.
Surveillance camerasSurveillance cameras in areas that contain IS assets can in areas that contain IS assets can deter theft or destruction.deter theft or destruction.
Surveillance softwareSurveillance software can record user actions down to can record user actions down to individual keystrokes.individual keystrokes.
Anti-theft systemsAnti-theft systems can be installed where alarms go off if can be installed where alarms go off if unauthorized personnel tamper with computer hardware.unauthorized personnel tamper with computer hardware.
2020
Other Controls - 2Other Controls - 2
AA hot sitehot site is a separate and fully equipped facility is a separate and fully equipped facility where a firm can move immediately after a where a firm can move immediately after a disaster and resume business.disaster and resume business.
Fault-tolerant computer systemsFault-tolerant computer systems are systems that are systems that contain extra hardware, software, and power contain extra hardware, software, and power supply components that create an environment supply components that create an environment that provides continuous uninterrupted service.that provides continuous uninterrupted service.
Disaster recovery planDisaster recovery plan is a plan for running the is a plan for running the business in the event of a computer outage. The business in the event of a computer outage. The plan states what should be done and by whom. plan states what should be done and by whom.
2121
Other Controls - 3Other Controls - 3
Data entry controlsData entry controls try to reduce errors in the data entry try to reduce errors in the data entry process by restricting the range of the data or its format process by restricting the range of the data or its format (in Access see “validation rules” or “input masks” in the (in Access see “validation rules” or “input masks” in the Design View for tables)Design View for tables)
Separation of dutiesSeparation of duties means that different people are in means that different people are in charge of different activities, allowing checks and balances charge of different activities, allowing checks and balances and minimizing possibility of criminal behavior.and minimizing possibility of criminal behavior.
An An audit trailaudit trail is a system that automatically records data is a system that automatically records data such as the date and time of a transaction or the name or such as the date and time of a transaction or the name or password of a user performing a specified activity (often password of a user performing a specified activity (often without the knowledge of the user) without the knowledge of the user)
2222
V. Impact of Not Having a Recovery PlanV. Impact of Not Having a Recovery Plan
When companies are hit with the catastrophic loss of When companies are hit with the catastrophic loss of computerized recordscomputerized records 43 % never reopen43 % never reopen 51% close within two years51% close within two years 6% survive long term6% survive long term
Despite these statistics many firms do not have a recovery Despite these statistics many firms do not have a recovery plan.plan.
Recommended