Download Securing Information Systems

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
Document related concepts

Malware wikipedia , lookup

Distributed firewall wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Hacker wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
C8- Securing Information
Systems
Facebook Virus
Update your Adobe Flash!
Security and Control ***
The Security Challenge
Security Vs. Control
• Security: the policies, procedures and technical
measures used to prevent unauthorized access,
alteration, threat or physical damage to
information systems
• Controls: methods to ensure the safety of
assets, reliability of records and adherence to
standards
Security- Vulnerabilities
The potential for unauthorized access, abuse, or fraud is not limited
to a single location but can occur at any access point in the
network.
Smart Phones
8-5
System Vulnerability and Abuse
Internet vulnerabilities
• Vulnerable to outside attacks
• Abuses can have widespread impact
• E-mail increases system vulnerability
• Fixed IP Address- they know where you are!
• VOIP Service Vulnerabilities
8-6
Wireless security challenges
Many Wi-Fi networks can be
penetrated easily by intruders using
sniffer programs to obtain an address
to access the resources of a network
without authorization.
Using the rogue
access points!!!
Malicious Software (Malware)
• Computer viruses:
– Rogue software programs that attach to other programs in order
to be executed, usually without user knowledge or permission
– Deliver a “payload”
– Can spread by email attachments
• Worms:
– Programs that copy themselves from one computer to another
over networks- rely less on human to spread
– Can destroy data, programs, and halt operation of computer
networks
• Trojan Horse:
• A software program that appears to be benign, but then does
something unexpected
• Often “transports” a virus into a computer system
System Vulnerability and Abuse
8-8
Malware …
• SQL injection attacks
• Spyware
– install themselves surreptitiously to monitor user Web
surfing activity/ serve advertising.
– Keyloggers
Hackers & Cybervandalism
• Hackers: individuals who attempt to gain
unauthorized access to a computer system
• Cracker: a hacker with criminal intent
• System intrusion, theft of goods and information,
system damage and cybervandalism
– Cybervandalism: intentional disruption, defacement,
or destruction of a Web site or system
System Vulnerability and Abuse
8-11
Spoofing and Sniffing
• Spoofing
– masquerading as someone else, or redirecting a Web
link to an unintended address
• Sniffing
– an eavesdropping program that monitors information
travelling over a network
System Vulnerability and Abuse
8-12
DoS Attacks
• Denial of Service
• Hackers flood a server with false
communications in order to crash the system
Use thousands of “zombie”
PCs infected with malicious
software without their
owners’ knowledge and
organized into a botnet.
System Vulnerability and Abuse
8-13
Computers As
Targets Of Crime
• Breaching the confidentiality of protected
computerized data
• Accessing a computer system without authority
• Knowingly accessing a protected computer to
commit fraud
• Intentionally accessing a protected computer
and causing damage, negligently or deliberately
• Knowingly transmitting a program, program code
or command that causes damage to it
• Threatening to cause damage to a computer
8-16
Computers As
Instruments Of Crime
• Theft of trade secrets
• Unauthorized copying of software or copyrighted
intellectual property,s uch as articles, books,
music, and video
• Schemes to defraud
• Using e-mail for threats or harassment
• Intentionally attempting to intercept electronic
communication
• Illegally accessing e-mail and voice mail
• Transmitting or possessing child pornography
Computer Crime
• Identity theft
– A crime in which the imposter obtains key pieces of
personal information
– Phishing- Setting up fake Web sites or sending email
messages that look legitimate, and using them to ask
for confidential data
– Eviltwins are wireless networks that pretend to offer
trustworthy Wi-Fi connections to the Internet, such as
those in airport lounges, hotels, or coffee shops.
– Pharming redirects users to a bogus Web page, even
when the individual types the correct Web page
address into his or her browser.
8-16
Computer Crime …
• Click Fraud
• Cyberterrorism and Cyberwarfare
– Exploitation of systems by terrorists
• Internal Threats: Employees
– lack of knowledge is the single greatest cause of
network security breaches
• Software vulnerability
– bugs or program code defects- virtually impossible to
eliminate all bugs from large programs.
– Patches- To correct software flaws vendor creates
small pieces of software called patches
8-16
Phishing
Business Value of
Security and Control
• Different govt. regulations/acts
• Protect own information assets and customers,
employees, and business partner
• legal liability
– litigation for data exposure or theft
• A sound security and control framework= high
return on investment
8-18
Computer forensics
• is the scientific collection, examination,
authentication, preservation, and analysis of
data held on or retrieved from computer storage
media in such a way that the information can be
used as evidence in a court of law.
– Recovering data from computers while preserving
evidential integrity
– Securely storing and handling recovered electronic
data
– Finding significant information in a large volume of
electronic data
– Presenting the information to a court of law
Establishing a Framework
• General controls
– The design, security, and use of computer programs
and the security of data files in throughout the
organization’s IS infrastructure.
– Include software controls, physical hardware controls,
computer operations controls, data security controls,
controls over implementation of system processes,
and administrative controls.
• Application controls
– unique to each application, like payroll
– (1) input controls, (2) processing controls, and (3)
output controls
8-20
Establishing a Framework …
• Risk Assessment
Chief Security Officer (CSO)
– Determine level of risk to the firm in the case of
improper controls
• Security policy
– ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for
achieving these goals.
– Acceptable Use Policy (AUP)
• defines unacceptable and acceptable actions
– Identity Management
• of business processes and software tools for identifying the
valid users of a system and controlling their access to system
resources.
8-20
Two security profiles or
data security patterns
Access rules for different levels of users in the human resources function.
Establishing a Framework …
• Disaster recovery planning
– duplicate computer center
• Business continuity planning
–
–
–
–
Fault-tolerant computer systems
High-availability computing
Recovery-oriented computing
Security outsourcing
• Auditing
– An MIS audit examines the firm’s overall security environment as
well as controls governing individual information systems.
8-20
Technologies And Tools
• Access controls
– Consist of all the policies and procedures a company
uses to prevent improper access to systems by
unauthorized insiders and outsiders
• Authentication
– ability to know that a person is who she or he claims
to be
• Passwords, tokens, biometric authentication
• Biometric authentication uses systems that read and interpret
individual human traits, such as fingerprints, irises, and
voices, in order to grant or deny access.
Firewalls
• Firewalls: Hardware and software controlling
flow of incoming and outgoing network traffic
– Packet Filtering examines selected fields in the
headers of data packets flowing back and forth from
network and the Internet
– Stateful inspection provides additional security by
determining whether packets are part of an ongoing
dialogue between a sender and receiver
– Application proxy filtering- examines the application
content of packets. A proxy server stops data
packets originating outside the organization, inspects
them, and passes a proxy to the other side of the
firewall. ……………….
A Corporate Firewall
Intrusion Detection Systems,
and Antivirus
• Intrusion Detection Systems
– Full-time monitoring tools placed at the most
vulnerable points of the corporate networks to detect
and deter intruders
• Antivirus and Antispyware
• Unified Threat Management Systems
– combined into a single appliance various security
tools, including firewalls, virtual private networks,
intrusion detection systems, and Web content filtering
and antispam software.
Technologies And Tools For Security And Control
8-27
Improve Security
• Wi-Fi Network
– Setting
• HTTPS• SSL/TLS- secure connection
Mail/Message Encryption
Encryption
• Encryption-rmvtu[yopm-fodszqujpo
– Coding and scrambling of messages to prevent
unauthorized access to, or understanding of, the data
being transmitted
• Public key encryption:
– Uses two different keys, one private and one public.
The keys are mathematically related so that data
encrypted with one key can be decrypted using only
the other key
• Public Key Infrastructure (PKI):
– Use of public key cryptography working with a
certificate authority
Technologies And Tools For Security And Control
Public Key Encryption
A public key
encryption
system can be
viewed as a
series of public
and private
keys that lock
data when they
are transmitted
and unlock the
data when they
are received.
The sender locates the
recipient’s public key in a
directory and uses it to
encrypt a message. The
message is sent in
encrypted form over the
Internet or a private
network. When the
encrypted message
arrives, the recipient uses
his or her private key to
decrypt the data and read
the message.
Technologies And Tools For Security And Control
8-31
Ensuring System Availability
Solution Guidelines
• Security and control must become a more visible
and explicit priority and area of information
systems investment
• Support and commitment from top management
is required to show that security is indeed a
corporate priority and vital to all aspects of the
business
• Security and control should be the responsibility
of everyone in the organization
Management Opportunities, Challenges, And Solutions
Learning Objectives
• Analyze why information systems need special
protection from destruction, error, and abuse.
• Assess the business value of security and
control.
• Design an organizational framework for security
and control.
• Evaluate the most important tools and
technologies for safeguarding information
resources.
8-35
Related documents
Lecture 8 - Bhecker.com
Lecture 8 - Bhecker.com
Discussion Questions - Hubert H. Humphrey Fellowship Program
Discussion Questions - Hubert H. Humphrey Fellowship Program
Assessing vulnerability to climate change in South East Europe
Assessing vulnerability to climate change in South East Europe
English Summary
English Summary
GHG Inventory review - E-Learning Module
GHG Inventory review - E-Learning Module
Acronyms abbreviations
Acronyms abbreviations
What is Beta Testing? - KV Institute of Management and Information
What is Beta Testing? - KV Institute of Management and Information
Chapter 11 Lesson 4 - Brimley Area Schools
Chapter 11 Lesson 4 - Brimley Area Schools
Presentation - National Forest Foundation
Presentation - National Forest Foundation
Database Confidentiality
Database Confidentiality
Drugs and Crime
Drugs and Crime
Remember to use a large enough font
Remember to use a large enough font