View
217
Download
1
Category
Preview:
Citation preview
2000 by Prentice Hall. 12-1
Chapter 12
ComputerSecurity
Uma GuptaIntroduction to Information Systems
2000 by Prentice Hall. 12-2
Learning Objectives
After studying this chapter, you will be able to:
Describe computer security and its business importance
Explain why information systems are vulnerable to security breaches
Identify different types of security breaches Describe measures that organizations take to prevent
security breaches Discuss the importance and elements of a disaster
plan
2000 by Prentice Hall. 12-3
Computer Security
The process of protecting and safeguarding hardware, software, networks, physical facilities, data, and personnel from accidental, intentional, or natural disasters.
2000 by Prentice Hall. 12-4
Common Types of Security Violations
Company data theft by employees
Gaining access to information stored on computer networks by cracking passwords
Industrial espionage by criminals eavesdropping on wireless communications or on LANs and Internet connections
Deliberate, unauthorized modification of software
Theft of employees’ identities to make outrageous or illegal statements on the Internet
Starting or fueling rumors on the Internet that are designed to harm the company
Denial of service attacks in which people call a toll-free number or send an e-mail but the number stays perpetually busy or they are denied access
2000 by Prentice Hall. 12-5
Awareness of Security Violations
0
60
50
10
40
30
20
70
Yes No Unknown
53%
69%
9%14%
38%
17%
1996
1998
Has your organization been the target of information espionage?
Source: Warroom Research, Inc., Annapolis, Md.
2000 by Prentice Hall. 12-6
Why Information Systems Are Vulnerable
Increased Access to the System Key sources of security breaches are employees,
authorized external users such as suppliers, and crackers outside the business
Increased System Complexity Information systems today are much more complex than
systems even a few years ago– the software has many more functions and features and the
hardware has integrated components, all of which must work together to provide overall system security
– each operating system has its own security features, so switching to a new operating system can throw previous security measures into disarray
2000 by Prentice Hall. 12-7
Why Information Systems Are Vulnerable (cont.)
Cyber Terrorism on the Internet The Internet is a haven for those engaging in security
misdeeds The Internet connects two million host computers and
provides access to a rich and extensive set of data and information to millions of users, with the numbers increasing by 15 percent every month
Networks Are the Weakest Link in the Chain “Networks are essentially sieves to anyone with minor
technical skills, and the desire to retrieve other peoples’ information”
2000 by Prentice Hall. 12-8
Why Information Systems Are Vulnerable (cont.)
Complacent Management Top managers are often reluctant to invest
in security because it is difficult to see the effect it has on the ‘bottom line”
2000 by Prentice Hall. 12-9
The Three Categories of Security Breaches
Types of Security Breaches Description
Accidental or unintentional errors
Accidents relating to hardware and software. Employees can also cause unintentional security breaches.
Most common type of security violation, in which individuals intentionally decode passwords.
Breaking into computer hardware such as modems, faxes, and cellular phones.
Infected software that behaves in unexpected and undesirable ways.
Tornadoes, earthquakes, and other disasters that cause computer systems to fail.
Intentional errors
Cracking passwords
Breaking into computer hardware
Software virus
Natural disasters
2000 by Prentice Hall. 12-10
Techniques for Reducing Accidental Security Breaches
WAYS TO REDUCEACCIDENTAL SECURITYBREACHES
Introduce HardwareTracking Methods
Establish and EnforceClear Security Policiesand Procedures
Training andEducating Users
2000 by Prentice Hall. 12-11
Eight Symptoms of a Software Virus
Inexplicable loss of free memory
Unusually long program loading or execution times
Changes in program or file size
Malfunctioning print routines
Computer freezing
Unusual messages or beeps
Computer rebooting in the midst of a process
Corrupt files
2000 by Prentice Hall. 12-12
Computer Security Controls
Policies, procedures, tools, techniques, and methods designed to reduce security breaches, system destruction, and system errors from accidental, intentional, and natural disasters.
2000 by Prentice Hall. 12-13
Classifications of Security Controls
SECURITY CONTROLS
Examples:•Documentation•Encryption•Firewalls
Examples:•Passwords•Smart cards•Biometric identification•Backups
Development Controls
Examples:•Fire alarms•Security personnel•Restricted accessto a facility•Devices that monitortemperature
Physical FacilityControls
Application Controls
2000 by Prentice Hall. 12-14
Application Controls
Passwords Many companies require employees to
change their passwords frequently Employees should use hard-to-guess or
randomly generated passwords
Smart cards A plastic card with an embedded chip that
provides users with a new password each time they log on
2000 by Prentice Hall. 12-15
Application Controls (cont.)
Biometric identification techniques Rely on body parts to validate that the user
can access the system– finger prints– retinal scans– voice recognition
Backup Treat information like gold Establish a backup routine Keep your backups in a safe place
2000 by Prentice Hall. 12-16
Development Controls
Documentation Written set of documents that explain in
detail the reasoning behind processes, procedures, and other details– The more detailed the documentation, the better
off the company will be in the future
Encryption Converts data into a secret code before
they are transmitted over the network
2000 by Prentice Hall. 12-17
Physical Facility Controls
Physical Facility Controls are the policies and procedures that control the physical environment in which systems reside Posting security personnel Installing fire alarms Security alarms Hidden cameras Requiring users to wear badges or use smart
cards to gain access to a building
2000 by Prentice Hall. 12-18
Disaster Recovery Plan (DRP)
There are seven steps in developing a DRP Identify specific situations that are classified as a disaster Name the individuals who have the right and the responsibility
to declare a disaster Identify specific steps for declaring a disaster Inventory all crucial corporate assets, functions, and resources
that are essential to operate the business Specify the general course of action the business will take
when disaster strikes Develop a specific course of action that each employee must
take to make the company operational when disaster strikes Identify resources required to recover from the disaster,
including money, time, personnel, and facilities
2000 by Prentice Hall. 12-19
Business Guidelines for Security Success
Recognize the Symptoms of Security Breaches Unknown accounts added to the system and file
server An unusual number of log-on failures and dial-in
attempts Unexpected system or network crashes Unauthorized changes to system software and
system files High system activity when no users are logged on,
especially during off-peak hours
2000 by Prentice Hall. 12-20
Business Guidelines for Security Success (cont.)
Be Watchful of Disgruntled Employees Disgruntled employees, or those who have been fired,
are often likely to cause security breaches Establish clear policies and legal agreements with fired
employees Involve Law Enforcement When You Suspect a
Security Breach Call police immediately Train employees not to erase or destroy files that the
suspected employee used or created Cooperate with law enforcement Quantify damages to assist with prosecution
2000 by Prentice Hall. 12-21
Business Guidelines for Security Success (cont.)
Build Security Partnerships Security depends on partnerships with suppliers and
customers, and sometimes the government
Convince Top Management That Security Is Not an Option 41% of survey participants reported that their company
doesn’t have formal security policies More than half said they lack disaster recovery plans More than a third said they don’t monitor their networks for
suspicious activity Fewer than one in five use encryption technology to
safeguard sensitive information
Recommended