C8- Securing Information Systems

Definitions

• Security: the policies, procedures and technical measures used to prevent unauthorized access, alteration, threat or physical damage to information systems

• Controls: methods to ensure the safety of assets, reliability of records and adherence to standards

Figure 8-1

The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.

8-5

Contemporary Security Challenges and Vulnerabilities

8-6

System Vulnerability and Abuse

Internet vulnerabilities• Vulnerable to outside attacks• Abuses can have widespread impact• E-mail increases system vulnerability

Wireless security challenges• The service set identifiers (SSID) identifying the

access points broadcast multiple times

8-8

Malicious Software Programs (Malware)

• Computer viruses: – Rogue software programs that attach to other programs in order

to be executed, usually without user knowledge or permission– Deliver a “payload”– Can spread by email attachments

• Worms:– Programs that copy themselves from one computer to another

over networks– Can destroy data, programs, and halt operation of computer

networks

• Trojan Horse:• A software program that appears to be benign, but then does

something unexpected• Often “transports” a virus into a computer system

System Vulnerability and Abuse

8-11

Hackers and Cybervandalism

• Hackers: individuals who attempt to gain unauthorized access to a computer system– Cracker: a hacker with criminal intent

• Cybervandalism: intentional disruption, defacement, or destruction of a Web site or system

System Vulnerability and Abuse

8-12

Spoofing and Sniffing

• Spoofing– masquerading as someone else, or redirecting a Web

link to an unintended address

• Sniffing– an eavesdropping program that monitors information

travelling over a network

System Vulnerability and Abuse

8-13

Denial of Service (DoS) Attacks

• Hackers flood a server with false communications in order to crash the system

System Vulnerability and Abuse

8-16

Computer Crime ...

• Identity theft– A crime in which the imposter obtains key

pieces of personal information

• Phishing– Setting up fake Web sites or sending

email messages that look legitimate, and using them to ask for confidential data

• Cyberterrorism and Cyberwarfare– Exploitation of systems by terrorists

• Internal Threats: Employees• Software vulnerability

violation of criminal law that involves a knowledge of technology for perpetration, investigation, or prosecution

Phishing

8-18

Business Value of Security and Control

• Protect own information assets and customers, employees, and business partner

• legal liability– litigation for data exposure or theft

• A sound security and control framework= high return on investment

8-20

Establishing a Framework for Security and Control

• Risk Assessment– Determine level of risk

to the firm in the case of improper controls

• Security policy– Chief Security Officer

(CSO)– Acceptable Use Policy

(AUP)– Authorization Policies– Authorization

Management systems

• Ensuring business continuity– Fault-tolerant computer

systems– High-availability computing– Recovery-oriented

computing

• Disaster recovery planning and business continuity planning– Security outsourcing

• The role of auditing

Technologies And Tools for Security and Control

• Access controls– Consist of all the policies and procedures a

company uses to prevent improper access to systems by unauthorized insiders and outsiders

• Authentication– ability to know that a person is who she or he

claims to be• Passwords, tokens, biometric authentication

Firewalls

• Firewalls: Hardware and software controlling flow of incoming and outgoing network traffic – Packet Filtering examines selected fields in

the headers of data packets flowing back and forth from network and the Internet

– Stateful inspection provides additional security by determining whether packets are part of an ongoing dialogue between a sender and receiver

Technologies And Tools For Security And Control

Intrusion Detection Systems, and Antivirus

• Intrusion Detection Systems– Full-time monitoring tools placed at the most

vulnerable points of the corporate networks to detect and deter intruders

• Antivirus and Antispyware– Checks computer systems for viruses

8-27Technologies And Tools For Security And Control

Encryption

• Encryption-rmvtu[yopm-fodszqujpo– Coding and scrambling of messages to

prevent unauthorized access to, or understanding of, the data being transmitted

• Public key encryption: – Uses two different keys, one private and one

public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key

• Public Key Infrastructure (PKI): – Use of public key cryptography working with a

certificate authorityTechnologies And Tools For Security And Control

A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received.

8-31Technologies And Tools For Security And Control

Public Key Encryption

The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.

Solution Guidelines

• Security and control must become a more visible and explicit priority and area of information systems investment

• Support and commitment from top management is required to show that security is indeed a corporate priority and vital to all aspects of the business

• Security and control should be the responsibility of everyone in the organization

Management Opportunities, Challenges, And Solutions

8-20

Learning Objectives

• Analyze why information systems need special protection from destruction, error, and abuse.

• Assess the business value of security and control.

• Design an organizational framework for security and control.

• Evaluate the most important tools and technologies for safeguarding information resources.