Chapter 12 2000 by Prentice Hall. 12-1 Computer Security Uma Gupta Introduction to Information Systems

2000 by Prentice Hall. 12-1

Chapter 12

ComputerSecurity

Uma GuptaIntroduction to Information Systems


Learning Objectives

After studying this chapter, you will be able to:

Describe computer security and its business importance

Explain why information systems are vulnerable to security breaches

Identify different types of security breaches Describe measures that organizations take to prevent

security breaches Discuss the importance and elements of a disaster

plan


Computer Security

The process of protecting and safeguarding hardware, software, networks, physical facilities, data, and personnel from accidental, intentional, or natural disasters.


Common Types of Security Violations

Company data theft by employees

Gaining access to information stored on computer networks by cracking passwords

Industrial espionage by criminals eavesdropping on wireless communications or on LANs and Internet connections

Deliberate, unauthorized modification of software

Theft of employees’ identities to make outrageous or illegal statements on the Internet

Starting or fueling rumors on the Internet that are designed to harm the company

Denial of service attacks in which people call a toll-free number or send an e-mail but the number stays perpetually busy or they are denied access


Awareness of Security Violations

0

60

50

10

40

30

20

70

Yes No Unknown

53%

69%

9%14%

38%

17%

1996

1998

Has your organization been the target of information espionage?

Source: Warroom Research, Inc., Annapolis, Md.


Why Information Systems Are Vulnerable

Increased Access to the System Key sources of security breaches are employees,

authorized external users such as suppliers, and crackers outside the business

Increased System Complexity Information systems today are much more complex than

systems even a few years ago– the software has many more functions and features and the

hardware has integrated components, all of which must work together to provide overall system security

– each operating system has its own security features, so switching to a new operating system can throw previous security measures into disarray


Why Information Systems Are Vulnerable (cont.)

Cyber Terrorism on the Internet The Internet is a haven for those engaging in security

misdeeds The Internet connects two million host computers and

provides access to a rich and extensive set of data and information to millions of users, with the numbers increasing by 15 percent every month

Networks Are the Weakest Link in the Chain “Networks are essentially sieves to anyone with minor

technical skills, and the desire to retrieve other peoples’ information”


Why Information Systems Are Vulnerable (cont.)

Complacent Management Top managers are often reluctant to invest

in security because it is difficult to see the effect it has on the ‘bottom line”


The Three Categories of Security Breaches

Types of Security Breaches Description

Accidental or unintentional errors

Accidents relating to hardware and software. Employees can also cause unintentional security breaches.

Most common type of security violation, in which individuals intentionally decode passwords.

Breaking into computer hardware such as modems, faxes, and cellular phones.

Infected software that behaves in unexpected and undesirable ways.

Tornadoes, earthquakes, and other disasters that cause computer systems to fail.

Intentional errors

Cracking passwords

Breaking into computer hardware

Software virus

Natural disasters


Techniques for Reducing Accidental Security Breaches

WAYS TO REDUCEACCIDENTAL SECURITYBREACHES

Introduce HardwareTracking Methods

Establish and EnforceClear Security Policiesand Procedures

Training andEducating Users


Eight Symptoms of a Software Virus

Inexplicable loss of free memory

Unusually long program loading or execution times

Changes in program or file size

Malfunctioning print routines

Computer freezing

Unusual messages or beeps

Computer rebooting in the midst of a process

Corrupt files


Computer Security Controls

Policies, procedures, tools, techniques, and methods designed to reduce security breaches, system destruction, and system errors from accidental, intentional, and natural disasters.


Classifications of Security Controls

SECURITY CONTROLS

Examples:•Documentation•Encryption•Firewalls

Examples:•Passwords•Smart cards•Biometric identification•Backups

Development Controls

Examples:•Fire alarms•Security personnel•Restricted accessto a facility•Devices that monitortemperature

Physical FacilityControls

Application Controls


Application Controls

Passwords Many companies require employees to

change their passwords frequently Employees should use hard-to-guess or

randomly generated passwords

Smart cards A plastic card with an embedded chip that

provides users with a new password each time they log on


Application Controls (cont.)

Biometric identification techniques Rely on body parts to validate that the user

can access the system– finger prints– retinal scans– voice recognition

Backup Treat information like gold Establish a backup routine Keep your backups in a safe place


Development Controls

Documentation Written set of documents that explain in

detail the reasoning behind processes, procedures, and other details– The more detailed the documentation, the better

off the company will be in the future

Encryption Converts data into a secret code before

they are transmitted over the network


Physical Facility Controls

Physical Facility Controls are the policies and procedures that control the physical environment in which systems reside Posting security personnel Installing fire alarms Security alarms Hidden cameras Requiring users to wear badges or use smart

cards to gain access to a building


Disaster Recovery Plan (DRP)

There are seven steps in developing a DRP Identify specific situations that are classified as a disaster Name the individuals who have the right and the responsibility

to declare a disaster Identify specific steps for declaring a disaster Inventory all crucial corporate assets, functions, and resources

that are essential to operate the business Specify the general course of action the business will take

when disaster strikes Develop a specific course of action that each employee must

take to make the company operational when disaster strikes Identify resources required to recover from the disaster,

including money, time, personnel, and facilities


Business Guidelines for Security Success

Recognize the Symptoms of Security Breaches Unknown accounts added to the system and file

server An unusual number of log-on failures and dial-in

attempts Unexpected system or network crashes Unauthorized changes to system software and

system files High system activity when no users are logged on,

especially during off-peak hours


Business Guidelines for Security Success (cont.)

Be Watchful of Disgruntled Employees Disgruntled employees, or those who have been fired,

are often likely to cause security breaches Establish clear policies and legal agreements with fired

employees Involve Law Enforcement When You Suspect a

Security Breach Call police immediately Train employees not to erase or destroy files that the

suspected employee used or created Cooperate with law enforcement Quantify damages to assist with prosecution


Business Guidelines for Security Success (cont.)

Build Security Partnerships Security depends on partnerships with suppliers and

customers, and sometimes the government

Convince Top Management That Security Is Not an Option 41% of survey participants reported that their company

doesn’t have formal security policies More than half said they lack disaster recovery plans More than a third said they don’t monitor their networks for

suspicious activity Fewer than one in five use encryption technology to

safeguard sensitive information

Documents

Chapter 12 2000 by Prentice Hall. 12-1 Computer Security Uma Gupta Introduction to Information Systems