1 I.Assets and Treats Information System Assets That Must Be Protected People People Hardware Hardware Software Software Operating systems Operating systems

11

I.I. Assets and TreatsAssets and Treats

Information System Assets That Must Be ProtectedInformation System Assets That Must Be Protected

PeoplePeople HardwareHardware SoftwareSoftware

Operating systemsOperating systems ApplicationsApplications

DataData NetworksNetworks

Chapter 17Chapter 17Controls and Security MeasuresControls and Security Measures

22

Main Sources of Security ThreatsMain Sources of Security Threats

Hardware failureHardware failure Software failure (unknown Software failure (unknown

bug)bug) FireFire Electrical problemElectrical problem Natural disaster (flood, Natural disaster (flood,

hurricane, tornado, etc.)hurricane, tornado, etc.) Alteration or destruction Alteration or destruction

of dataof data

Human errorHuman error Unauthorized access Unauthorized access

(internal or external)(internal or external) Theft of data, information, Theft of data, information,

services, equipment, or services, equipment, or moneymoney

Telecommunications Telecommunications problemsproblems

Computer virusesComputer viruses

33

II. Classifications For ControlsII. Classifications For Controls

Classification 1Classification 1 Preventive controlPreventive control – a constraint designed to – a constraint designed to

prevent a security risk from occurringprevent a security risk from occurring Use of passwords for systems accessUse of passwords for systems access

Detective controlDetective control – a constraint designed to detect a – a constraint designed to detect a security risk as it occurs security risk as it occurs

Virus detection softwareVirus detection software Corrective controlCorrective control – a constraint designed to correct – a constraint designed to correct

a breach of security after it has occurreda breach of security after it has occurred A disaster recovery planA disaster recovery plan

44

Classifications For ControlsClassifications For Controls

Classification 2Classification 2 General controlsGeneral controls establish a framework for controlling the establish a framework for controlling the

design and use of information system assets and operationsdesign and use of information system assets and operations Software controls – monitor the use of system softwareSoftware controls – monitor the use of system software Hardware controls – provisions for protection from fireHardware controls – provisions for protection from fire Computer operations controls – backup and recovery proceduresComputer operations controls – backup and recovery procedures Data security controls – unauthorized accessData security controls – unauthorized access Implementation controls – audit the systems development processImplementation controls – audit the systems development process Administrative controls – implement procedures to ensure Administrative controls – implement procedures to ensure

controls are properly executed and enforced controls are properly executed and enforced Application controlsApplication controls

Input controls – check data for accuracyInput controls – check data for accuracy Processing controls – establish that data are complete and Processing controls – establish that data are complete and

accurate results are obtainedaccurate results are obtained Output controls – ensure that results are properly distributedOutput controls – ensure that results are properly distributed

55

Management Analysis For Reducing Threats: 1Management Analysis For Reducing Threats: 1

Type of Type of ThreatThreat

Type of ControlType of Control

PreventivePreventive DetectiveDetective CorrectiveCorrective

Hardware Hardware failurefailure

List controlsList controls List controlsList controls List controlsList controls

Software Software failurefailure


FireFire List controlsList controls List controlsList controls List controlsList controls

66

Management Analysis For Reducing Threats: 2Management Analysis For Reducing Threats: 2

ThreatsThreats

Information Systems AssetInformation Systems Asset

HardwareHardware SoftwareSoftware DataData

Hardware Hardware failurefailure


Software Software failurefailure


FireFire List controlsList controls List controlsList controls List controlsList controls

77

III. Risk ManagementIII. Risk Management

Risk managementRisk management consists of consists of the identification of risks or threats the identification of risks or threats the implementation of controlsthe implementation of controls the monitoring of the controls for effectivenessthe monitoring of the controls for effectiveness

Risk assessmentRisk assessment is a risk management activity that is a risk management activity that attempts to determineattempts to determine What can wrong?What can wrong? How likely is it to go wrong?How likely is it to go wrong? What are the consequences if it does go wrong?What are the consequences if it does go wrong?

88

The Economic Aspect of Risk Management - 1The Economic Aspect of Risk Management - 1

Two types of costsTwo types of costs to consider when determining how to consider when determining how much to spend on data security:much to spend on data security: The cost of potential damageThe cost of potential damage The cost of implementing a preventive measureThe cost of implementing a preventive measure

The total cost of potential damageThe total cost of potential damage is the aggregate of all is the aggregate of all the potential damages multiplied by the probability of the potential damages multiplied by the probability of the occurrence of the damage. These numbers can be the occurrence of the damage. These numbers can be difficult to estimate.difficult to estimate.

99

The Economic Aspect of Risk Management -2The Economic Aspect of Risk Management -2

Figure 17.12 The total cost to the enterprise is lowest at “Optimum.” No less, and no more, should be spent on information security measures.

1010

IV. Telecommunication Network VulnerabilitiesIV. Telecommunication Network Vulnerabilities

Due to the complex and diverse hardware, software, Due to the complex and diverse hardware, software, organizational and personnel arrangements required for organizational and personnel arrangements required for telecommunication networks, there are many areas of telecommunication networks, there are many areas of vulnerabilityvulnerability Natural failures of hardware and softwareNatural failures of hardware and software Misuse by programmers, computer operators, Misuse by programmers, computer operators,

maintenance staff, and end usersmaintenance staff, and end users Tapping of lines and illegal intercepts of dataTapping of lines and illegal intercepts of data Interference such as crosstalk Interference such as crosstalk Interference from radiation of other devicesInterference from radiation of other devices

1111

Special Threats to the InternetSpecial Threats to the Internet

VirusesViruses Web defacingWeb defacing SpoofingSpoofing Denial of service attacksDenial of service attacks HackersHackers

1212

Computer VirusesComputer Viruses

Viruses – a computer virus is software that is written Viruses – a computer virus is software that is written with malicious intent to cause annoyance or damage. with malicious intent to cause annoyance or damage. Viruses can be benign or malignantViruses can be benign or malignant A benign virus displays a message or slows down a A benign virus displays a message or slows down a

computer but does not destroy informationcomputer but does not destroy information A malignant virus can do damage to your computer A malignant virus can do damage to your computer

system such as scrambling or deleting files, shut system such as scrambling or deleting files, shut your computer down, or make applications not your computer down, or make applications not function.function.

Viruses spread by copying infected files from someone Viruses spread by copying infected files from someone else’s disk or by receiving infected files as an email else’s disk or by receiving infected files as an email attachment.attachment.

1313

More On VirusesMore On Viruses A A macro virusmacro virus is a malignant virus that spreads by is a malignant virus that spreads by

binding itself to application software like Word or binding itself to application software like Word or Excel and makes copies of itself (replicates) each time Excel and makes copies of itself (replicates) each time you use the application. If you have such a virus on you use the application. If you have such a virus on your computer you can infect another machine by your computer you can infect another machine by attaching an infected file to an email. The email attaching an infected file to an email. The email recipient infects their machine as soon as they open the recipient infects their machine as soon as they open the attachment.attachment.

WormsWorms are particularly nasty macro viruses because are particularly nasty macro viruses because they spread from computer to computer rather than they spread from computer to computer rather than file to file. Worms do not need your help; worms find file to file. Worms do not need your help; worms find your email address book and send themselves to your your email address book and send themselves to your contacts.contacts.

1414

Other Threats To the InternetOther Threats To the Internet Web defacingWeb defacing – people break into a Web site and replace – people break into a Web site and replace

the site with a substitute site that is neither attractive nor the site with a substitute site that is neither attractive nor complimentary; electronic graffiticomplimentary; electronic graffiti

SpoofingSpoofing – the perpetrator uses flaws in the domain name – the perpetrator uses flaws in the domain name software (DNS) used on the Internet to redirect a potential software (DNS) used on the Internet to redirect a potential Web site visitor to an alternate site that is usually not Web site visitor to an alternate site that is usually not complimentary to the real site owner. This is similar to complimentary to the real site owner. This is similar to someone switching your name with someone else’s in a someone switching your name with someone else’s in a telephone directorytelephone directory

Denial of service attackDenial of service attack (DoS) – this occurs when too may (DoS) – this occurs when too may requests are received to log on a Web site’s page. Multiple requests are received to log on a Web site’s page. Multiple log-on requests are perpetrated by specially designed log-on requests are perpetrated by specially designed software that can automatically generate log-in requests software that can automatically generate log-in requests over a long period of time.over a long period of time.

Distributed denial of service attacksDistributed denial of service attacks (DDoS) are denial of (DDoS) are denial of service attacks that are perpetrated from multiple service attacks that are perpetrated from multiple computerscomputers

1515

HackersHackers

A A hackerhacker is a person who gains unauthorized access to is a person who gains unauthorized access to a computer network for profit, criminal mischief, or a computer network for profit, criminal mischief, or personal pleasure.personal pleasure. Hackers are responsible for computer viruses, Web Hackers are responsible for computer viruses, Web

defacing, spoofing, and denial of service attacksdefacing, spoofing, and denial of service attacks Seventy-three percent of respondents to a survey in Seventy-three percent of respondents to a survey in

1998 of 1600 companies in 50 countries reported 1998 of 1600 companies in 50 countries reported security breaches security breaches 58 % of the breaches were from authorized 58 % of the breaches were from authorized

employeesemployees 24 % of the breaches were from unauthorized 24 % of the breaches were from unauthorized

employeesemployees 13 % of the breaches were from hackers or 13 % of the breaches were from hackers or

terroriststerrorists

1616

Examples of Network/Internet Controls - 1Examples of Network/Internet Controls - 1

Anti-virus softwareAnti-virus software detects and removes or quarantines detects and removes or quarantines computer viruses. You must update your anti-virus computer viruses. You must update your anti-virus software frequently since new viruses come along every software frequently since new viruses come along every day. day.

FirewallsFirewalls are hardware and/or software that protects a are hardware and/or software that protects a computer or network from intruders. Firewalls also can computer or network from intruders. Firewalls also can detect if your computer is communicating with the detect if your computer is communicating with the Internet without your approval Internet without your approval

A A callback controlcallback control verifies a remote user’s telephone verifies a remote user’s telephone number before access is allowed number before access is allowed

1717

Examples of Network/Internet Controls - 2Examples of Network/Internet Controls - 2 Access controlsAccess controls check who you are before you can have check who you are before you can have

access. Ways to check on access are (1) passwords, (2) access. Ways to check on access are (1) passwords, (2) special ID cards, (3) or biometrics (fingerprints, voice, special ID cards, (3) or biometrics (fingerprints, voice, retina of your eye).retina of your eye).

EncryptionEncryption codes a message to prevent unauthorized codes a message to prevent unauthorized access to or understanding of the data being access to or understanding of the data being transmitted. transmitted. For Web transactions SSL and SHTTP are the For Web transactions SSL and SHTTP are the

encryption standards encryption standards When you access data on a secure server the When you access data on a secure server the

communication between your browser and the communication between your browser and the secure server is encryptedsecure server is encrypted

Intrusion-detectionIntrusion-detection software looks for people on a software looks for people on a network who are acting suspiciously (e.g., trying lots of network who are acting suspiciously (e.g., trying lots of passwords)passwords)

1818

Examples of Network/Internet Controls - 3Examples of Network/Internet Controls - 3

Digital signatureDigital signature is a digital code attached to an is a digital code attached to an electronically transmitted message that is used to verify the electronically transmitted message that is used to verify the origins and contents of the message (e.g., similar to a origins and contents of the message (e.g., similar to a written signature)written signature)

Digital certificatesDigital certificates are attachments to an electronic are attachments to an electronic message to verify the identity of the sender and to provide message to verify the identity of the sender and to provide a means to encode a reply.a means to encode a reply.

Load balancingLoad balancing is the process of distributing a large is the process of distributing a large number of access requests among multiple servers so that number of access requests among multiple servers so that no single server is overwhelmedno single server is overwhelmed

1919

Other Controls - 1Other Controls - 1

BackupBackup is the process of making a copy of the information is the process of making a copy of the information stored on a computer. stored on a computer. There is no action that you can that There is no action that you can that is more essential than regular backups. is more essential than regular backups.

Surveillance camerasSurveillance cameras in areas that contain IS assets can in areas that contain IS assets can deter theft or destruction.deter theft or destruction.

Surveillance softwareSurveillance software can record user actions down to can record user actions down to individual keystrokes.individual keystrokes.

Anti-theft systemsAnti-theft systems can be installed where alarms go off if can be installed where alarms go off if unauthorized personnel tamper with computer hardware.unauthorized personnel tamper with computer hardware.

2020


AA hot sitehot site is a separate and fully equipped facility is a separate and fully equipped facility where a firm can move immediately after a where a firm can move immediately after a disaster and resume business.disaster and resume business.

Fault-tolerant computer systemsFault-tolerant computer systems are systems that are systems that contain extra hardware, software, and power contain extra hardware, software, and power supply components that create an environment supply components that create an environment that provides continuous uninterrupted service.that provides continuous uninterrupted service.

Disaster recovery planDisaster recovery plan is a plan for running the is a plan for running the business in the event of a computer outage. The business in the event of a computer outage. The plan states what should be done and by whom. plan states what should be done and by whom.

2121


Data entry controlsData entry controls try to reduce errors in the data entry try to reduce errors in the data entry process by restricting the range of the data or its format process by restricting the range of the data or its format (in Access see “validation rules” or “input masks” in the (in Access see “validation rules” or “input masks” in the Design View for tables)Design View for tables)

Separation of dutiesSeparation of duties means that different people are in means that different people are in charge of different activities, allowing checks and balances charge of different activities, allowing checks and balances and minimizing possibility of criminal behavior.and minimizing possibility of criminal behavior.

An An audit trailaudit trail is a system that automatically records data is a system that automatically records data such as the date and time of a transaction or the name or such as the date and time of a transaction or the name or password of a user performing a specified activity (often password of a user performing a specified activity (often without the knowledge of the user) without the knowledge of the user)

2222

V. Impact of Not Having a Recovery PlanV. Impact of Not Having a Recovery Plan

When companies are hit with the catastrophic loss of When companies are hit with the catastrophic loss of computerized recordscomputerized records 43 % never reopen43 % never reopen 51% close within two years51% close within two years 6% survive long term6% survive long term

Despite these statistics many firms do not have a recovery Despite these statistics many firms do not have a recovery plan.plan.

Documents

1 I.Assets and Treats Information System Assets That Must Be Protected People People Hardware Hardware Software Software Operating systems Operating systems