Today’s Lecture Covers < Chapter 6 - IS Security

Security The system is protected against unauthorized physical and logical access.

A typical network today? INTERNET External Router Corporate Backbone Human Resources Payroll - Accounting e-Business Network Human Resources AP Cyberwall Payroll - Accounting AP Cyberwall IP Firewall DMZ IP Firewall DMZ Internal Firewall DMZ Systems

Control over Info Transmission < procedures to protect in bound information and outbound information < network design should incorporate information integrity, confidentiality and availability requirements for transmissions < network implementation and config mgt needs to be controlled

Control over Data Mgt roles and responsibilities for data mgt needed database design and implementation needs to address security, integrity and control requirements also incorporate reliability and availability requirements

Control over End-Using Computing procedures to ensure that end-users conform with organizational strategy stds for development, acquisition, documentation and operation of applications procedures. Effective support and training monitoring end-using computing

<The issue of IT Security < must id risks and design effective security processes and practices < not too much security - causes rule breaking to do job < balance between enabling staff and others to access easily and efficiently and controlling that access

Security Controls- to prevent unauthorized access to IS by outsiders unauthorized access to IS by insiders interruptions in processing at application (into each program) and general level (e.g., electronic access, physical security, back-up and recovery and contingency planning)

To meet Security Objectives < need an integrated approach: < develop policies < assign roles and responsibilities and communicate them < design a security control framework < implement on risk-prioritized and timely basis < monitor

Broad Organizational Issues policies and stds risk assessment plan, design, test and implement user and mgt involvement monitor and update

Policies & Stds responsibility of all personnel roles and responsibilities for security administrator classify systems and data in terms of sensitivity role of I/A

Risk Assessment analyze risks and exposures assess what is acceptable need to understand potential losses

Plan Design Test and Implement assess what is needed test - ensure authorized accepted/unauthorized rejected access time is reasonable audit trails are adequate

Monitoring and Update need logs need to ensure controls up to date adequate resources

Physical Access Controls - Safeguard against physical abuse, damage and destruction. Isolation and restriction - use locks, effective key management, video, sensing devices

Communication Access Controls Firewalls - hardware and software between 2 networks, all traffic must go through it, only authorized traffic may pass, and is protected from tampering Simplifies security mgt - only have to manage single point

Communication Access Controls can hide internal network since no direct outside connection can limit damage of security breaches do not protect against insider attacks often ineffective with viruses do not protect against other connections that bypass firewall

Communication Access Controls Packet filter gateway - router between 2 gateways, either forwards or blocks them (less secure than firewall) Application gateway - all packets are addressed to a user layer application at the gateway that relays them between 2 communication points

Communication Access Controls use proxies to prevent a direct connection between external and internal networks acts as middleman - decides whether traffic is secure between the hosts, forwards only secure traffic Stateful inspection - all packets queried + application, user and transportation method queried - both the state of the transmission and context in which used cannot deviate from expectations ; otherwise rejected

Dial-Up Lines Modem lines create problems use callback modems, terminal authentication devices (id terminal as authentic before connecting), passwords, encryption, human hook-ups, warnings and look at communication bills

Encryption coding messages rely on mathematical algorithms private key system - receiver must know what key is used to encipher message. Such keys must be protected public key system - use 2 keys encipher is made public different key used to decipher

Electronic Access Controls- first classify info sensitivity - need to classify information as to confidentiality and access rights access time requirements - classify according to range of tolerable access times- for example many users may need to access certain files at a particular time authorized users - based on need to know basis

Access management identification process - use userids personal characteristic userids - name - easy transferred but easy to guess.. also little privacy functional characteristic id - based on job, no need for personal id, more privacy - someone transfers however, must give new id no association ids - arbitrary - best privacy and can use if transferred

Access management authentication - obtaining proof that user is who says he/she is plastic magnetic-strip cards - atm cards, carry fixed password (PIN), can be stolen/duplicated smart cards- contain processor that allows card to interact with number of control devices and define boundary of each specific access biometric devices - fingerprints, hand geometry, eye retina patterns

Access management passwords - traditional for log-on procedure system-generated- randomly generated are less hard to guess- problem is are not really random and are meaningless to users - therefore write them down makes easier to find user- selected - has meaning but often easier to guess word association password - use cue lists that only user should know - too much computer space req'd, must be uniform

Access management Increased use of single-sign on- authenticate once across multiple platforms must be very careful due to potential access hazard Could also use profile management - allocate standard access privileges to users based on their group, rather than individual basis reduces admin costs and allows easier access and rule setting

Access management access control software- allows controlled access - locks out illegimate users