Presentation on theme: "Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations."— Presentation transcript:
Need for Information System Security §With the invent of computers and telecommunication systems, organizations have started using more and more computers based information systems, especially the networked systems §So, information system have become easy targets of threat as the internet has thousands of unsecured computer networks which are in communication with each other.
INFORMATION SYSTEMS SECURITY A discipline that protects the J Confidentiality, J Integrity and J Availability of information and information services
Threats to Computerized Information Systems §Hardware failure §Software failure §Personnel actions §Terminal access penetration §Theft of data, services, equipment §Fire §Electrical problems §User errors §Unauthorized program changes §Telecommunication problems
Threats to Computerized Information Systems §In general major threats to the IS are categorized as l Human error or failures l Manipulation of data/system l Theft of data/system l Destruction from virus l Technical failure/errors of systems l Natural disasters like flood, fire, earthquake etc
Human errors or failures §In this, unintentional errors are made by an authorized user. §The authorized user may commit errors like entry of wrong data, accidental deletion or modification of data, storage of data in unprotected areas like a desktop,. §Errors happens because of lack of experience, improper training or other circumstances.
Manipulation of Data/System §This category of threat happens because of the deliberate acts of some persons or organizations designed to harm the data or information systems of an organization. §In this an unauthorized individual gains an access to the private/confidential data and purposefully do some wrong acts like delete, corrupt or steal the data.
Theft of Data/Systems It is a deliberate attempt of some person to steal the important data of an organization. Hackers: are the persons, who intercepts the communication lines to steal data without the knowledge of the owner of the data. Crackers: illegally break into other people’s secure systems and networks Cyber Terrorists: threaten and attack other people’s computers.
JThe challenge JEspionage JMischief JMoney (extortion or theft) JRevenge Motivation for Hackers:
Destruction from Virus ( Threats: MALWARE) Malware is Malicious Software - deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software. There are several types...
Worms: Programs that are capable of independently propagating throughout a computer network. They replicate fast and consume large amounts of the host computers memory. Malware Types
Trojan Horses: Programs that contain hidden functionality that can harm the host computer and the data it contains. THs are not automatic replicators - computer users inadvertently set them off. Malware Types
Software Bombs: Time Bombs - triggered by a specific time/date Logic Bombs - triggered by a specific event Both are introduced some time before and will damage the host system Malware Types
Technical Failure /errors of system §This category of threat includes technical failures or errors, which may occur because of the manufacturing defects in the hardware or the hidden faults in the software.
Natural Disasters §The threats may be from the acts of God that cannot be prevented or controlled. §It includes fire, flood, earthquake, lighting etc
Protecting Information System §The organization plans and implement various kinds of IS Controls so as to avoid, reduce and manage the risks of the threats. §The controls are l Physical controls l Technical controls l Administrative controls l General controls l Application controls
Physical controls §This includes protecting computer hardware, software, database etc. l The location and layout of the computer centre must be designed well planned. i.e. the computer centre should be water proof, fireproof, have proper air-conditioning, extinguishing systems, have emergency power shutoffs and backup systems.
Technical controls §Technical controls are implemented in the application of IS itself. §It includes l Access controls: refers to the restrictions imposed for the unauthorized access of any user. l The identification of user can be obtained through unique user identifier such as password, digital signature, voice, fingerprint etc
Technical controls l Data Security controls: can be implemented through operating systems, database security, access control programmes, backup and recovery procedures. l Administrative controls: includes guidelines, rules of the organizations to use and deployment of IS resources. l Application controls: includes i/p controls, processing controls and o/p controls
Information system security technology §Firewall: refers to a protection device that allows selected data flow into or out of the organization based on the predefined rules. §It acts like a watch man, which does not allow any unauthorized user to access the server of an organization.
Proxy Servers §It acts as a representative of the true server of an organization. §When any person from outside requests a particular web page, the proxy server receives the request, and in turn asks for the information from the true server, and then responds to the request of a person as a proxy for the true web server. §The person gets the information without getting in direct contact with the true web server
§In encryption the message is coded in to an unreadable form and transmit over the network.
Disaster recovery plan §It involves the following steps l Commitment of the top management: the top management must provide with enough amount of resources. l Responsibility of all the employee: IS is not the sole responsibility an an individual employee, the concept of shared responsibility of all the employee is very important
Disaster recovery plan §Appointment of business recovery coordinator: There should be a team of persons drawn from all the departments of the organization §Establishment of priorities: the committee should know what actions are required to be taken and in what order.
Disaster recovery plan §Execution of plan: the committee should find various plan and has to select one depending on the situation, and should immediately execute. §Review and updation of the disaster recovery plan