Presentation is loading. Please wait.

Presentation is loading. Please wait.

Management Information Systems by Prof. Park Kyung-Hye Chapter 14 (15th Week) Risks, Security, and Disaster Recovery 14.

Published byAudra Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "Management Information Systems by Prof. Park Kyung-Hye Chapter 14 (15th Week) Risks, Security, and Disaster Recovery 14."— Presentation transcript:

1 Management Information Systems by Prof. Park Kyung-Hye Chapter 14 (15th Week) Risks, Security, and Disaster Recovery 14

2 Objectives Risks, Security, and Disaster Recovery Describe the primary goals of information security Enumerate the main types of risks to information systems List the various types of attacks on networked systems Describe the types of controls required to ensure the integrity of data entry and processing and uninterrupted e-commerce Describe the various kinds of security measures that can be taken to protect data and Iss 2 Improve the security of your personal information system and the information it stores Recognize online scams Outline the principles of developing a recovery plan Explain the economic aspects of information security

3 Goals of Information Security 3 Protecting IT resources is a primary concern Risks, Security, and Disaster Recovery Securing corporate ISs is becoming increasingly challenging The major goals of information security are to: Reduce the risk of systems ceasing operation Maintain information confidentiality Ensure the integrity and reliability of data resources Ensure the uninterrupted availability of resources Ensure compliance with policies and laws

4 Risks to Information Systems 4 Downtime: the period of time during which an IS is not available Risks, Security, and Disaster Recovery Extremely expensive: average losses of: $2,500/minute for CRM systems $7,800/minute for e-commerce applications $4 billion lost annually in the U.S. due to downtime

5 Risks to Hardware 5 #1 cause of system downtime is hardware failure Risks, Security, and Disaster Recovery Major causes of damage to hardware include: Natural disasters - Fires, floods, earthquakes, hurricanes, tornadoes, and lightning Blackouts and brownouts - Blackout: total loss of electricity - Brownout: partial loss of electricity - Uninterruptible power supply (UPS): backup power Vandalism - Deliberate destruction

6 Risks to Data and Applications 6 Data should be a primary concern because it is often a unique resource Risks, Security, and Disaster Recovery Data and applications are susceptible to disruption, damage, and theft The culprit in damage to software or data is almost always human Keystroke logging: records individual keystrokes Social engineering: con artists pretend to be service people, and ask for passwords Identity theft: pretending to be another person

7 Risks to Data and Applications (continued) 7 Risks, Security, and Disaster Recovery

8 Risks to Data and Applications (continued) 8 Risks, Security, and Disaster Recovery

9 Risks to Data and Applications (continued) 9 Risks to data include: Risks, Security, and Disaster Recovery Deliberate alteration or destruction is often done as a prank, but has a high cost The target may be a company’s Web site Honeytoken: a bogus record in a networked database used to combat hackers Alteration Destruction Web defacement

10 Risks to Data and Applications (continued) 10 Honeypot: a server containing a mirrored copy of a database or a bogus database Risks, Security, and Disaster Recovery Virus: spreads from computer to computer Worm: spreads in a network without human intervention Educates security officers about vulnerable points Antivirus software: protects against viruses Trojan horse: a virus disguised as legitimate software

11 Risks to Data and Applications (continued) 11 Risks, Security, and Disaster Recovery

12 Risks to Data and Applications (continued) 12 Logic bomb: software that is programmed to cause damage at a specific time Risks, Security, and Disaster Recovery Unintentional, nonmalicious damage can be caused by: Human error Lack of adherence to backup procedures Poor training Unauthorized downloading and installation of software may cause damage

13 Risks to Online Operations 13 Many hackers try daily to interrupt online businesses Risks, Security, and Disaster Recovery Types of attacks include: Unauthorized access Data theft Defacing of Web pages Denial of service Hijacking

14 Denial of Service 14 Denial of service (DoS): an attacker launches a large number of information requests Risks, Security, and Disaster Recovery Slows down legitimate traffic to site Distributed denial of service (DDoS): an attacker launches a DoS attack from multiple computers Usually launched from hijacked personal computers called “zombies” No definitive cure for this A site can filter illegitimate traffic

15 Computer Hijacking 15 Hijacking: using some or all of a computer’s resources without the consent of its owner Risks, Security, and Disaster Recovery Often done for making a DDoS attack Done by installing a software bot on the computer Main purpose of hijacking is usually to send spam Bots are planted by exploiting security holes in operating systems and communications software A bot usually installs e-mail forwarding software

16 Controls 16 Controls: constraints and restrictions imposed on a user or a system Risks, Security, and Disaster Recovery Controls can be used to secure against risks Controls are also used to ensure that nonsensical data is not entered Controls can reduce damage caused to systems, application, and data

17 Controls (continued) 17 Risks, Security, and Disaster Recovery

18 Application Reliability and Data Entry Controls 18 A reliable application is one that can resist inappropriate usage such as incorrect data entry or processing Risks, Security, and Disaster Recovery The application should provide clear messages when errors or deliberate misuses occur Controls also translate business policies into system features

19 Backup 19 Backup: periodic duplication of all data Risks, Security, and Disaster Recovery Redundant Arrays of Independent Disks (RAID): set of disks programmed to replicate stored data Data must be routinely transported off-site as protection from a site disaster Some companies specialize in data backup services or backup facilities for use in the event of a site disaster

20 Access Controls 20 Access controls: measures taken to ensure only authorized users have access to a computer, network, application, or data Risks, Security, and Disaster Recovery Physical locks: lock the equipment in a secure facility Software locks: determine who is authorized Three types of access controls: What you know: access codes, such as user ID and password What you have: requires special devices Who you are: unique physical characteristics

21 Access Controls (continued) 21 Access codes and passwords are usually stored in the OS or in a database Risks, Security, and Disaster Recovery Security card is more secure than a password Allows two-factor access Biometric: uses unique physical characteristics such as fingerprints, retinal scans, or voiceprints Up to 50% of help desk calls are from people who have forgotten their passwords Biometrics can eliminate these kinds of calls

22 Access Controls (continued) 22 Risks, Security, and Disaster Recovery

23 Atomic Transactions 23 Atomic transaction: a set of indivisible transactions Risks, Security, and Disaster Recovery All of the transactions in the set must be completely executed, or none can be Ensures that only full entry occurs in all the appropriate files to guarantee integrity of the data Is also a control against malfunction and fraud

24 Atomic Transactions (continued) 24 Risks, Security, and Disaster Recovery

25 Audit Trail 25 Audit trail: a series of documented facts that help detect who recorded which transactions, at what time, and under whose approval Risks, Security, and Disaster Recovery Sometimes automatically created using data and timestamps Certain policy and audit trail controls are required in some countries Information systems auditor: a person whose job is to find and investigate fraudulent cases

26 Security Measures 26 Organizations can protect against attacks using various approaches, including: Risks, Security, and Disaster Recovery Firewalls Authenti- cation Encryption Digital signatures Digital certificates

27 Firewalls and Proxy Servers 27 Firewall: the best defense against unauthorized access over the Internet Risks, Security, and Disaster Recovery Consists of hardware and software that blocks access to computing resources Firewalls are now routinely integrated into routers DMZ: demilitarized zone approach One end of the network is connected to the trusted network, and the other end to the Internet Proxy server: represents another server Employs a firewall, and is usually placed between the Internet and the trusted network

28 Firewalls and Proxy Servers (continued) 28 Risks, Security, and Disaster Recovery

29 Authentication and Encryption 29 Authentication: the process of ensuring that you are who you say you are Risks, Security, and Disaster Recovery Encryption: coding a message into an unreadable form Messages are encrypted and authenticated to ensure security A message may be text, image, sound, or other digital information

30 Authentication and Encryption (continued) 30 Risks, Security, and Disaster Recovery

31 Authentication and Encryption (continued) 31 Encryption programs scramble the transmitted information Risks, Security, and Disaster Recovery Encryption uses a mathematical algorithm and a key Key: a unique combination of bits that will decipher the ciphertext Public-key encryption: uses two keys, one public and one private Plaintext the original message Plaintext the original message Ciphertext the encoded message Ciphertext the encoded message

32 Authentication and Encryption (continued) 32 Risks, Security, and Disaster Recovery

33 Authentication and Encryption (continued) 33 Symmetric encryption: when the sender and the recipient use the same key Risks, Security, and Disaster Recovery Transport Layer Security (TLS): a protocol for transactions on the Web that uses a combination of public key and symmetric key encryption HTTPS: the secure version of HTTP Asymmetric encryption: both a public and a private key are used Digital signature: a means to authenticate online messages; implemented with public keys

34 Authentication and Encryption (continued) 34 Risks, Security, and Disaster Recovery

35 Authentication and Encryption (continued) 35 Risks, Security, and Disaster Recovery

36 Authentication and Encryption (continued) 36 Message digest: unique fingerprint of file Risks, Security, and Disaster Recovery Digital certificates: computer files that associate one’s identity with one’s public key Issued by certificate authority Certificate authority (CA): a trusted third party A digital certificate contains its holder’s name, a serial number, its expiration dates, and a copy of holder’s public key Also contains the digital signature of the CA

37 Authentication and Encryption (continued) 37 Risks, Security, and Disaster Recovery

38 The Downside of Security Measures 38 Single sign-on (SSO): a user must enter his or her name/password only once Risks, Security, and Disaster Recovery Every message must be encrypted and then decrypted Single sign-on saves employees time Encryption slows down communication IT specialists must clearly explain the implications of security measures to upper management

39 Recovery Measures 39 Security measures may reduce mishaps, but no one can control all disasters Risks, Security, and Disaster Recovery Preparation for uncontrolled disasters requires that recovery measures are in place Redundancy may be used Very expensive, especially in distributed systems Other measures must be taken

40 The Business Recovery Plan 40 Business recovery plan: a plan about how to recover from a disaster Risks, Security, and Disaster Recovery Also called disaster recovery plan, business resumption plan, or business continuity plan Nine steps to develop a business recovery plan: Obtain management’s commitment to the plan 1 Establish a planning committee 2 Perform risk assessment and impact analysis 3 Prioritize recovery needs 4 - Mission-critical applications: those without which the business cannot conduct operations

41 The Business Recovery Plan (continued) 41 Risks, Security, and Disaster Recovery Nine steps to develop a business recovery plan (cont.) : Select a recovery plan 5 Select vendors 6 Develop and implement the plan 7 Test the plan 8 Continually test and evaluate 9 The plan should include key personnel and their responsibilities

42 Recovery Planning and Hot Site Providers 42 Risks, Security, and Disaster Recovery Can outsource recovery plans to firms that specialize in disaster recover planning Hot sites: alternative sites that a business can use when a disaster occurs Backup sites provide desks, computer systems, and Internet links

43 The Economics of Information Security 43 Risks, Security, and Disaster Recovery Security measures should be regarded as analogous to insurance Spending for security measures should be proportional to the potential damage A business must assess the minimum acceptable rate of system downtime and ensure that the company can financially sustain the downtime

44 How Much Security Is Enough Security? 44 Risks, Security, and Disaster Recovery Two costs should be considered: As the cost of security measures increases, the cost of potential damage decreases Cost of the potential damage Cost of implementing a preventative measure Companies try to find the optimal point The company must define what needs to be protected Security measures should never exceed the value of protected system

45 How Much Security Is Enough Security? (continued) 45 Risks, Security, and Disaster Recovery

46 Calculating Downtime 46 Risks, Security, and Disaster Recovery Businesses should try to minimize downtime, but the benefit of greater uptime must be compared to the added cost Interdependent systems have greater downtime Many ISs are now interfaced with other systems Mission-critical systems must be connected to an alternative source of power, duplicated with a redundant system, or both Redundancy reduces downtime

47 Summary 47 The purpose of controls and security measures is to maintain the functionality of ISs Risks to ISs include risks to hardware, data, and networks, and natural disaster and vandalism Risks to data and applications include theft of information, identity theft, data alteration, data destruction, defacement of Web sites, viruses, worms, logic bombs, and nonmalicious mishaps Risks to online systems include denial of service and hijacking Controls are used to minimize disruption Access controls require information to be entered before resources are made available Atomic transactions ensure data integrity Risks, Security, and Disaster Recovery

48 Summary (continued) 48 Firewalls protect against Internet attacks Encryption schemes scramble messages to protect them on the Internet A key is used to encrypt and decrypt messages SSL, TLS, and HTTPS are encryption standards designed for the Web Keys and digital certificates can be purchased from a certificate authority Many organizations have business recovery plans, which may be outsourced Careful evaluation of the amount spent on security measures is necessary Redundancy reduces the probability of downtime Governments are obliged to protect citizens against crime and terrorism Risks, Security, and Disaster Recovery

Download ppt "Management Information Systems by Prof. Park Kyung-Hye Chapter 14 (15th Week) Risks, Security, and Disaster Recovery 14."

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Management Information Systems, Sixth Edition

Management Information Systems, Sixth Edition
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
E-Commerce Security and Fraud Issues and Protections

E-Commerce Security and Fraud Issues and Protections
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

Similar presentations

Ads by Google