Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security EDU 5815 1. IT Security Terms EDU 5815 2.

Similar presentations

Presentation on theme: "Information Security EDU 5815 1. IT Security Terms EDU 5815 2."— Presentation transcript:

1 Information Security EDU 5815 1

2 IT Security Terms EDU 5815 2

3 BackupAn extra copy of the data and/or programs, kept in a secure location(s). DecryptionTransformation of scrambled code into readable data after transmission. EncryptionTransformation of data into scrambled code after transmission. ExposureThe harm, loss, or damage that can result if something has gone wrong in an information system. Fault toleranceThe ability of an information system to continue to operate (usually for a limited time and/or at a reduced level) when failure occurs. Information system controls The procedures, devices, or software that attempt to ensure that the system performs as planned. Integrity (of data)A guarantee of the accuracy, completeness, and reliability of data. System integrity is provided by the integrity of its components and their integrations. RiskThe likelihood that a threat will materialized. Threats (or hazards) The various dangers to which a system may be exposed. VulnerabilityGiven that a threat exists, the susceptibility of the system to harm caused by the threat. MalwareGeneral term for software that enables malicious acts against a computing system. EDU 5815 3

4 Organizational needs for security and control Importance of keeping all of the resources, virtual as well as physical, secure from both inside and outside threats Two critical issues must be addressed: ▫Security vs. individual rights ▫Security vs. availability EDU 5815 4

5 Security vs. individual rights Implement adequate security and control measures that do not infringe on the individual rights guaranteed by the constitution EDU 5815 5

6 Security vs. availability Prominent in the medical area Concerns over the privacy of the individuals’ records are receiving attention EDU 5815 6

7 Objective of Information Security Confidentiality Availability Integrity EDU 5815 7

8 Confidentiality The organization seek to protect its data and information from disclosure to unauthorized persons. Executive information systems, human resources information systems, and such transaction processing systems as payroll, accounts receivable, purchasing, and accounts payable are especially critical in this regard. EDU 5815 8

9 Availability The purpose of the organization’s information infrastructure is to make its data and information available to those who are authorized to used it. This objective is especially important to information-oriented systems such as human resources information systems EDU 5815 9

10 Integrity All the information systems should provide an accurate representation of the physical systems that they represent. EDU 5815 10

11 System Vulnerability EDU 5815 11  A universal vulnerability is a state in a computing system which either: allows an attacker to execute commands as another user; allows an attacker to access data that is contrary to the access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service.  An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem according to some reasonable security policy.

12 System Vulnerability Continued These threats can be classified as: ▫Unintentional  Human errors  Environmental hazards  Computer system failures ▫Intentional  Theft of data  Inappropriate use of data  Theft of mainframe computer time  Theft of equipment and/or programs EDU 5815 12 The vulnerability of information systems is increasing as we move to a world of networked and especially wireless computing. Theoretically, there are hundreds of points in a corporate information system that can be subject to some threats.

13 System Vulnerability Continued ▫Intentional continued  Deliberate manipulation in handling  Entering data  Processing data  Transferring data  Programming data  Labor strikes  Riots  Sabotage  Malicious damage to computer resources  Destruction from viruses and similar attacks  Miscellaneous computer abuses  Internet fraud.  Terrorists ’ attack EDU 5815 13

14 Threats An information security threat is a person, organization, mechanism, or event that has potential to inflict harm on the organization’s information resources. Threats can be internal as well as external, and they can be accidental as well as intentional. EDU 5815 14

15 Type of threats A virus is one example of a type of software that bears the name malicious software Malicious software or malware consists of complete programs or segments of code that can invade a system and perform functions not intended by the system owners In addition to viruses, there are worms, Trojan horses, adware, and spyware EDU 5815 15

16 Type of threats A virus is a computer program that can replicate itself without being observable and embed copies of itself in other programs and boot sectors A worm cannot replicate itself within a system, but it can transmit its copies by means of email EDU 5815 16

17 Type of threats A Trojan horse can neither replicate nor distribute itself; users distributes it as utility. When the utility is used, it produced unwanted changes in the system’s functionality. EDU 5815 17

18 Type of threats Adware generates intrusive advertising messages Spyware gathers data from the user’s machine EDU 5815 18

19 EDU 5815 19

20 Risks Information security risk is a potential undesirable outcome of a breach of information security by an information security threat All risks represent unauthorized acts EDU 5815 20

21 Four type of risks 1.Unauthorized Disclosure and Theft ▫When the database and software library are made available to persons not entitled to have access ▫The result can be the loss of information or money 2.Unauthorized Use – When persons who are not ordinarily entitled to use the organization’s resources are able to do so – hacker EDU 5815 21

22 Four type of risks 3.Unauthorized Destruction and Denial of Service – Individuals can damage or destroy hardware or software, causing the organization’s computer operation to shut down 4.Unauthorized Modification – Changes been made to the data, information and software. – Changes go unnoticed and cause the users of the system outputs to make the wrong decisions EDU 5815 22

23 Challenges and Ethics of IT Application of IT ▫Customer relationship management ▫Human resources management ▫Business intelligence systems Potential Harm ▫Infringements on privacy ▫Inaccurate information ▫Collusion EDU 5815 23

24 Challenges and Ethics of IT Possible Responses EDU 5815 24

25 Protecting Information Resources Aligned. The program must be aligned with organizational goals. Enterprisewide. Everyone in the organization must be included. Continuous. The program must be operational all the time. Proactive. Use innovative, preventive, and protective measures. Validated. The program must be tested to ensure it works. Formal. It must include authority, responsibility & accountability. EDU 5815 25 Information security problems are increasing rapidly, causing damage to many organizations. Protection is expensive and complex. Therefore, companies must not only use controls to prevent and detect security problems, they must do so in an organized manner. An approach similar to TQM (total quality management) would have the following characteristics:

26 Difficulties – Protecting (discussion) EDU 5815 26

27 Defense Strategy - Protecting The major objectives of a defense strategy are: 1.Prevention and deterrence. 2.Detection. 3.Limitation of damage. 4.Recovery. 5.Correction 6.Awareness and compliance EDU 5815 27

28 Defense Strategy - Controls EDU 5815 28 Any defense strategy involves the use of several controls. These controls are divided into two categories general controls that protect the system regardless of the specific application and application controls that safeguard specific applications. General Application

29 Defense Strategy – Internet Security EDU 5815 29 Security Layers The major objective of border security is access control. Then authentication or proof of identity and finally authorization which determine the action or activities a user is allowed to perform.

30 Ethical Responsibilities What uses of IT might be considered improper or harmful to other individuals or society? What is the proper use of the Internet or organization's IT resources? How can you protect yourself from computer crime? EDU 5815 30

Download ppt "Information Security EDU 5815 1. IT Security Terms EDU 5815 2."

Similar presentations

Ads by Google