Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security, Crime, Compliance, and Continuity C hapter 5 5-1 Copyright 2012 John Wiley & Sons, Inc. Course Part II. Data and Network Infrastructure.

Published bySteven Daniel Modified over 9 years ago

Similar presentations

Presentation on theme: "IT Security, Crime, Compliance, and Continuity C hapter 5 5-1 Copyright 2012 John Wiley & Sons, Inc. Course Part II. Data and Network Infrastructure."— Presentation transcript:

1 IT Security, Crime, Compliance, and Continuity C hapter 5 5-1 Copyright 2012 John Wiley & Sons, Inc. Course Part II. Data and Network Infrastructure

2 Chapter 5 Outline 5.1 Protecting Data and Business Operations 5.2 IS Vulnerabilities and Threats 5.3 Fraud, Crimes, and Violations 5.4 Information Assurance and Risk Management 5.5 Network Security 5.6 Internal Control and Compliance 5.7 Business Continuity and Auditing Copyright 2012 John Wiley & Sons, Inc. 5-2

3 Chapter 5 Learning Objectives  Understand the objectives, functions, and financial value of IT security.  Recognize IS vulnerabilities, threats, attack methods, and cybercrime symptoms.  Understand crimes committed against computers and crimes committed with computers.  Explain key methods of defending information systems, networks, and wireless devices.  Understand network security risks and defenses.  Describe internal control & fraud; and fraud legislation.  Understand business continuity and disaster recovery planning methods. Copyright 2012 John Wiley & Sons, Inc. 5-3

4 5.1 Protecting Data and Business Operations Copyright 2012 John Wiley & Sons, Inc. 5-4  IT security: the protection of data, systems, networks, and operations.  Technology defenses are necessary, but they’re not sufficient because protecting data and business operations also involves: Implementing and enforcing acceptable use policies (AUPs). Complying with government regulations and laws. Making data available 24x7 while restricting access. Promoting secure and legal sharing of information.

5 IT Security Principles Copyright 2012 John Wiley & Sons, Inc. 5-5

6 Know Your Enemy and Your Risks  IT security risks are business risks  Threats range from high-tech exploits to gain access to a company’s networks to non-tech tactics such as stealing laptops or items of value. Common examples: Malware (malicious software): viruses, worms, trojan horses, spyware, and disruptive or destructive programs insider error or action, either intentional or unintentional. Fraud Fire, flood, or other natural disasters Copyright 2012 John Wiley & Sons, Inc. 5-6

7 IT at Work 5.1 $100 Million Data Breach  May 2006: a laptop and external hard drive belonging to the U.S. Dept of Veterans Affairs (VA) were stolen during a home burglary.  Data on 26.5 million veterans and spouses had been stored in plaintext.  VA Secretary Jim Nicholson testified before Congress that it would cost at least $10 million just to inform veterans of the security breach.  Total cost of data breach: $100 million Copyright 2012 John Wiley & Sons, Inc. 5-7

8 Risks  Cloud computing  Social networks  Phishing  Search engine manipulation  Money laundering  Organized crime  Terrorist financing Copyright 2012 John Wiley & Sons, Inc. 5-8

9 IT Security Defense-in-Depth Model Copyright 2012 John Wiley & Sons, Inc. 5-9

10 5.2 IS Vulnerabilities and Threats  Unintentional human error environmental hazards computer system failure  Intentional hacking malware manipulation Copyright 2012 John Wiley & Sons, Inc. 5-10

11 Copyright 2012 John Wiley & Sons, Inc. 5-11 Figure 5.4 How a computer virus can spread

12 Malware and Botnet Defenses  Anti-virus software  Firewalls  Intrusion detection systems (IDS)  Intrusion prevention systems (IPS) Copyright 2012 John Wiley & Sons, Inc. 5-12

13 5.3 Fraud, Crimes, and Violations 2 categories of crime: Violent Nonviolent  Fraud is nonviolent crime because instead of a gun or knife, fraudsters use deception, confidence, and trickery.  Occupational fraud refers to the deliberate misuse of the assets of one’s employer for personal gain. Copyright 2012 John Wiley & Sons, Inc. 5-13

14 IT at Work 5.4 Madoff Defrauds Investors of $64.8 Billion  Bernard Madoff is in jail after pleading guilty in 2009 to the biggest fraud in Wall Street history.  Fundamentally, Madoff relied on social engineering and the predictability of human nature to generate income for himself. Copyright 2012 John Wiley & Sons, Inc. 5-14 Figure 5.5 Annual Returns on a Madoff-Investor’s account from 2001-2007

15 Internal Fraud Prevention and Detection  IT has a key role to play in demonstrating effective corporate governance and fraud prevention.  Internal fraud prevention measures are based on the same controls used to prevent external intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access.  Fraud detection can be handled by intelligent analysis engines using advanced data warehousing and analytics techniques. Copyright 2012 John Wiley & Sons, Inc. 5-15

16 5.4 IT and Network Security Objectives of a defense strategy 1.Prevention and deterrence 2.Detection 3.Containment 4.Recovery 5.Correction 6.Awareness and compliance Copyright 2012 John Wiley & Sons, Inc. 5-16

17 Copyright 2012 John Wiley & Sons, Inc. 5-17 Figure 5.6 Major defense controls

18 Major categories of general controls  physical controls  access controls  biometric controls  communication network controls  administrative controls  application controls  endpoint security and control Copyright 2012 John Wiley & Sons, Inc. 5-18

19 Copyright 2012 John Wiley & Sons, Inc. 5-19 Figure 5.7 Intelligent agents

20 5.5 Network Security Copyright 2012 John Wiley & Sons, Inc. 5-20 Figure 5.8 Three layers of network security measures

21 Copyright 2012 John Wiley & Sons, Inc. 5-21 Figure 5.9 Where IT security mechanisms are located

22 Authentication Questions to help authenticate a person: 1. Who are you? Is this person an employee, a partner, or a customer? Different levels of authentication would be set up for different types of people. 2. Where are you? For example, an employee who has already used a badge to access the building is less of a risk than an employee logging on from a remote site. 3. What do you want? Is this person accessing sensitive or proprietary information or simply gaining access to benign data? Copyright 2012 John Wiley & Sons, Inc. 5-22

23 5.6 Internal Control and Compliance Internal control (IC) is a process designed to achieve: reliability of financial reporting operational efficiency compliance with laws regulations and policies safeguarding of assets Copyright 2012 John Wiley & Sons, Inc. 5-23

24 Internal Controls Needed for Compliance  Sarbanes-Oxley Act (SOX) is an antifraud law. It requires more accurate business reporting and disclosure of GAAP (generally accepted accounting principles) violations, including fraud.  SOX and the SEC made it clear that if controls can be ignored, there is no control—a violation of SOX.  If the company shows its employees that the company can find out everything that every employee does and use that evidence to prosecute, then the feeling that “I can get away with it” drops drastically. Copyright 2012 John Wiley & Sons, Inc. 5-24

25 Symptoms of Fraud That Can Be Detected by Internal Controls  Missing documents  Delayed bank deposits  Numerous outstanding checks or bills  Employees who do not take vacations  A large drop in profits  A major increase in business with one particular customer  Customers complaining about double billing  Repeated duplicate payments  Employees with the same address or phone number as a vendor Copyright 2012 John Wiley & Sons, Inc. 5-25

26 5.7 Business Continuity and Auditing  An important element in any security system is the business continuity plan, also known as the disaster recovery plan.  The plan outlines the process by which businesses should recover from a major disaster.  The purpose of a business continuity plan is to keep the business running after a disaster occurs. Each business function should have a valid recovery capability plan. The plan should be written so that it will be effective in case of disaster, not just in order to satisfy the auditors. Copyright 2012 John Wiley & Sons, Inc. 5-26

27 Risk-Management Analysis Expected loss = P 1 × P 2 × L where: P 1 = probability of attack P 2 = probability of attack being successful L = loss occurring if attack is successful Example: P 1 =.02, P 2 =.10, L = $1,000,000 Expected loss from this particular attack is P 1 × P 2 × L = 0.02 × 0.1 × $1,000,000 = $2,000 Copyright 2012 John Wiley & Sons, Inc. 5-27

28 Ethical issues  Implementing security programs raises many ethical issues.  Handling the privacy versus security dilemma is tough.  Ethical and legal obligations that may require companies to “invade the privacy” of employees and monitor their actions.  Under the doctrine of duty of care, senior managers and directors have a fiduciary obligation to use reasonable care to protect the company’s business operations. Copyright 2012 John Wiley & Sons, Inc. 5-28

29 Chapter 5 Link Library  Information Security Magazine http://searchsecurity.techtarget.comhttp://searchsecurity.techtarget.com  CIO Magazine, IT Security http://cio.com/topic/3089/Securityhttp://cio.com/topic/3089/Security  Computer and Internet Security http://cnet.com/internet-securityhttp://cnet.com/internet-security  IT Governance Institute http://itgi.orghttp://itgi.org  U.S. Computer Emergency Readiness Team http://us- cert.gov/cas/tips/http://us- cert.gov/cas/tips/  SANS Information Security Reading Room sans.org/reading_room/sans.org/reading_room/  Privacy news from around the world pogowasright.org/pogowasright.org/  Government Computer News (GCN ) http://gcn.com/http://gcn.com/  CompTIA http://comptia.org/http://comptia.org/  F-Secure http://f-secure.com/en_US/security/security-center/http://f-secure.com/en_US/security/security-center/  Social engineering http://symantec.com/connect/articles/social- engineeringhttp://symantec.com/connect/articles/social- engineering Copyright 2012 John Wiley & Sons, Inc. 5-29

Download ppt "IT Security, Crime, Compliance, and Continuity C hapter 5 5-1 Copyright 2012 John Wiley & Sons, Inc. Course Part II. Data and Network Infrastructure."

Similar presentations

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Information Security EDU 5815 1. IT Security Terms EDU 5815 2.

Information Security EDU IT Security Terms EDU
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.

Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FOUR ETHICS AND INFORMATION SECURITY: MIS BUSINESS CONCERNS.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Ch.5 It Security, Crime, Compliance, and Continuity

Ch.5 It Security, Crime, Compliance, and Continuity
Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
Security Controls – What Works

Security Controls – What Works
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.

Similar presentations

Ads by Google