Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems.

Published byBrendan Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems."— Presentation transcript:

1 Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems

2 Copyright © 2014 Pearson Education, Inc. 2 MS in Information Technology Auditing and Cyber-Security ITACS is about assuring the confidentiality, integrity and availability of a company’s systems MIS ACCT Risk

3 Copyright © 2014 Pearson Education, Inc. 3 The Career Public Accounting Internal Accounting Government Service Corporate Security IT Management S.T.E.M.

4 Copyright © 2014 Pearson Education, Inc. 4 Ten plus courses, professional MS program Professional certification (CISA) preparation Scholarships available Looking for: Accounting, Finance, MIS, or Risk majors Some systems background GPA 3.0 or higher Rich Flanagan, Director ITACS Program richard.flanagan@temple.edu The MS ITACS Program

5 Copyright © 2014 Pearson Education, Inc. 5 Administrivia Project 2 is graded Project 3 is due tonight Exam #2 is next week Review – 4/20 – 4pm – Alter 033

6 Copyright © 2014 Pearson Education, Inc. 6 Agenda Today we will discuss all things security The discussion will mostly be high level Topics – Defining Risks – How different groups exploit security flaws – Management of the risks in the organization – How this affects contemporary business

7 Copyright © 2014 Pearson Education, Inc. 7 Worldwide losses due to software piracy in 2008 exceeded $50 billion. Business Software Alliance, 2009 Worldwide losses due to software piracy in 2005 exceeded $34 billion. Business Software Alliance, 2006 Worldwide losses due to software piracy in 2010 exceeded $59 billion. Business Software Alliance, 2011

8 Copyright © 2014 Pearson Education, Inc. 8 Chapter 10 Learning Objectives Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.

9 Copyright © 2014 Pearson Education, Inc. 9 Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.

10 Copyright © 2014 Pearson Education, Inc. 10 Computer Crime Computer crime—The act of using a computer to commit an illegal act. – Targeting a computer while committing an offense. – Using a computer to commit an offense. – Using computers to support a criminal activity. Reported trend for computer crime has been declining over the past several years (CSI, 2011). – Many incidents are never reported. – Many incidents are never detected.

11 Copyright © 2014 Pearson Education, Inc. 11 Primary Threats to Information Systems Security Natural disasters – Power outages, hurricanes, floods, and so on Accidents – Power outages, cats walking across keyboards Links to outside business contacts – Data travel between business affiliates Outsiders – Viruses Employees and consultants

12 Copyright © 2014 Pearson Education, Inc. 12 12 Types of Computer Crimes and Financial Losses What do you think happens to a company’s stock price if they report that their systems have been compromised? Would you report it if you didn’t have to?

13 Copyright © 2014 Pearson Education, Inc. 13 Federal and State Laws – Computer Fraud and Abuse Act of 1986 Stealing or compromising data about national defense, foreign relations, atomic energy, or other restricted information Violating data belonging to banks or other financial institutions Intercepting or otherwise intruding on communications between states or foreign countries Threatening to damage computer systems in order to extort money or other valuables from persons, businesses, or institutions – Electronic Communications Privacy Act of 1986 makes it a crime to break into any electronic communications service, including telephone services prohibits the interception of any type of electronic communications

14 Copyright © 2014 Pearson Education, Inc. 14 Question Some computer criminals attempt to break into systems or deface Web sites to promote political or ideological goals. They are called ________. – A) crackers – B) cyber soldiers – C) ethical hackers – D) patriot hackers – E) hacktivists

15 Copyright © 2014 Pearson Education, Inc. 15 Hacking and Cracking Which one is the “bad guy”? – Hackers – Crackers – Hacktivists Know that hackers work on every side of the game – White Hat / Black Hat – What they are depends on what team you play for

16 Copyright © 2014 Pearson Education, Inc. 16 Types of Criminals Four groups of computer criminals 1.Current or former employees  85–95% of theft from businesses comes from the inside 2.People with technical knowledge committing crimes for personal gain 3.Career criminals using computers to assist them in crimes 4.Outside crackers hoping to find information of value  About 12 percent of cracker attacks cause damage

17 Copyright © 2014 Pearson Education, Inc. 17 Computer Viruses and Other Destructive Code What is your favorite type of destructive code? – Two basic methodologies: Focused attack and opportunistic attack Viruses – self propagating executable – Attached to a host file Worms – also self propagating – Standalone file Trojans – malware designed to enter the system by appearing legitimate Bots – task automation and information retrieval Phishing, buffer overload, keystroke scanners, packet sniffers, brute force cracks, etc

18 Copyright © 2014 Pearson Education, Inc. 18 Types of Crimes 3 Major Groups

19 Copyright © 2014 Pearson Education, Inc. 19 Types of Attacks - Denial of Service Attack Attackers prevent legitimate users from accessing services. Zombie computers – Created by viruses or worms – Attack Web sites Servers crash under increased load.

20 Copyright © 2014 Pearson Education, Inc. 20 Types of Attacks - Cybersquatting The book presents a conceptual definition I would disagree with – The practice of registering a domain name and later reselling it. – It is also the practice of exploiting name commonalities by infringing on established brand Some of the victims include: – Eminem, Panasonic, Hertz, Avon Anti-Cybersquatting Consumer Protection Act in 1999 – Fines as high as $100,000 – Some companies pay the cybersquatters to speed up the process of getting the domain.

21 Copyright © 2014 Pearson Education, Inc. 21 Types of Attacks - Cyber Harassment, Stalking, and Bullying Cyber harassment—Crime that broadly refers to the use of a computer to communicate obscene, vulgar, or threatening content.

22 Copyright © 2014 Pearson Education, Inc. 22 Cyberwar and Cyberterrorism Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.

23 Copyright © 2014 Pearson Education, Inc. 23 Question An organized attempt by a country's military to disrupt or destroy the information and communication systems of another country. Which of the following terms best represents such attacks by a country? – A) cyber terrorism – B) cyberwar – C) logic bomb – D) Web vandalism – E) Internet hoaxing

24 Copyright © 2014 Pearson Education, Inc. 24 Cyberterrorism and Warfare

25 Copyright © 2014 Pearson Education, Inc. 25 Information Systems Security Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.

26 Copyright © 2014 Pearson Education, Inc. 26 Safeguarding IS Resources Risk Reduction – Actively installing countermeasures Risk Acceptance – Accepting any losses that occur Risk Transference – Insurance – Outsourcing

27 Copyright © 2014 Pearson Education, Inc. 27 Information Systems Security All systems connected to a network are at risk. Information systems security – Precautions to keep IS safe from unauthorized access and use Increased need for well executed computer security with increased use of the Internet

28 Copyright © 2014 Pearson Education, Inc. 28 Technological Safeguards Physical access restrictions Authentication – Use of passwords – Photo ID cards, smart cards – Keys to unlock a computer – Combination Authentication dependent on – Something you have – Something you know – Something you are

29 Copyright © 2014 Pearson Education, Inc. 29 Passwords – A personal note Never make your password about: – Your parents – Your birthday – Your school – Your significant other – Your children – A real word The best passwords are – @GoBleTG51!oOk927_ – This password is long and nonsensical

30 Copyright © 2014 Pearson Education, Inc. 30 Biometrics Form of authentication – Fingerprints – Retinal patterns – Facial features and so on Fast authentication High security What is the failing of the biometric password?

31 Copyright © 2014 Pearson Education, Inc. 31 Securing the Facilities Infrastructure Backups – Secondary storage devices – Regular intervals Backup sites – Cold backup site – Hot backup site Redundant data centers – Different geographic areas Closed-circuit television (CCTV) – Monitoring for physical intruders – Video cameras display and record all activity – Digital video recording Uninterruptible power supply (UPS) – Protection against power surges

32 Copyright © 2014 Pearson Education, Inc. 32 Firewalls Firewall—A system designed to detect intrusion and prevent unauthorized access Implementation – Hardware, software, mixed

33 Copyright © 2014 Pearson Education, Inc. 33 Virtual Private Networks Connection constructed dynamically within an existing network Tunneling – Send private data over public network – Encrypted information

34 Copyright © 2014 Pearson Education, Inc. 34 Encryption Message encoded before sending Message decoded when received Cryptography—the science of encryption. – It requires use of a key for decoding. Certificate authority—manages distribution of keys on a busy Web site. Secure Sockets Layer (SSL)—popular public key encryption method.

35 Copyright © 2014 Pearson Education, Inc. 35 Managing IS Security Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.

36 Copyright © 2014 Pearson Education, Inc. 36 Question The ________ policy explains technical controls on all organizational computer systems, such as access limitations, audit-control software, firewalls, and so on. – A) incident handling – B) information – C) security – D) disaster recovery – E) account management

37 Copyright © 2014 Pearson Education, Inc. 37 Managing Information Systems Security Non-technical safeguards – Management of people’s use of IS Acceptable use policies – Trustworthy employees – Well-treated employees

38 Copyright © 2014 Pearson Education, Inc. 38 Disaster Planning Disasters can’t be completely avoided. Need to be prepared. Business continuity plan – describes how a business resumes operation after a disaster Disaster recovery plan – Subset of business continuity plan – Procedures for recovering from systems-related disasters – Two types of objectives Recovery time objectives (Maximum time allowed to recover) Recovery point objectives (How current should the backup material be?)

39 Copyright © 2014 Pearson Education, Inc. 39 Responding to a Security Breach Restore lost data Perform new risk audit Implement additional safeguards Contact law enforcement (yeah, right!) – Computer Emergency Response Team Coordination Center (Federal government center of Internet security expertise)

40 Copyright © 2014 Pearson Education, Inc. 40 Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.

41 Copyright © 2014 Pearson Education, Inc. 41 Question Organizations periodically have an external entity review the controls so as to uncover any potential problems in the controls. This process is called ________. – A) risk analysis – B) a recovery time objective analysis – C) a recovery point objective analysis – D) an information systems audit – E) information modification

42 Copyright © 2014 Pearson Education, Inc. 42 Hierarchy of IS Controls

43 Copyright © 2014 Pearson Education, Inc. 43 Types of IS Controls Policies – Define aim and objectives. Standards – Support the requirements of policies. Organization and management – Define the lines of reporting. Physical and environmental controls – Protect the organization’s IS assets.

44 Copyright © 2014 Pearson Education, Inc. 44 Types of IS Controls (cont’d) Systems software controls – Enable applications and users to utilize the systems. Systems development and acquisition controls – Ensure systems meet the organization’s needs. Application-based controls – Ensures correct input, processing, storage, and output of data; maintain record of data as it moves through the system.

45 Copyright © 2014 Pearson Education, Inc. 45 IS Auditing Information Systems audit – Performed by external auditors to help organizations assess the state of their IS controls. To determine necessary changes To assure the IS availability, confidentiality, and integrity Risk assessment – Determine what type of risks the IS infrastructure faces. Computer-Assisted Auditing Tools (CAAT) – Specific software to test applications and data, using test data or simulations.

46 Copyright © 2014 Pearson Education, Inc. 46 Question Which of the following laws makes it mandatory for organizations to demonstrate that there are controls in place to prevent misuse or fraud, controls to detect any potential problems, and effective measures to correct any problems? – A) USA Patriot Act – B) Sarbanes-Oxley Act – C) Trade Expansions Act of 1962 – D) Central Intelligence Agency Act – E) Electronic Communications Privacy Act of 1986

47 Copyright © 2014 Pearson Education, Inc. 47 The Sarbanes-Oxley Act The Sarbanes-Oxley Act was formed as a reaction to large-scale accounting scandals. – WorldCom, Enron It primarily addresses the accounting side of organizations. Companies have to demonstrate that: – controls are in place to prevent misuse and fraud, – controls are in place to detect potential problems, and – measures are in place to correct problems COBIT (Control Objectives for Information and Related Technology) – Set of best practices Help organizations to maximize the benefits from their IS infrastructure Establish appropriate controls

48 Copyright © 2014 Pearson Education, Inc. 48 A Thought Exercise The NSA is a US Intelligence Agency responsible for global monitoring of information and intelligence/ counterintelligence. Two common techniques used by the organization are: – backdoor creation (e.g. Linux Kernel, _NSAKEY) – buffer/stack overflow to identify established flaws What are the strengths and weaknesses of taking this approach to manage global intelligence?

49 Copyright © 2014 Pearson Education, Inc. 49 Recap Defining Risks How different groups exploit security flaws Management of the risks in the organization How this affects contemporary business

50 Copyright © 2014 Pearson Education, Inc. 50 Project 3 Hand it in Have a wonderful day, don’t fall down the stairs.

Download ppt "Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems."

Similar presentations

Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems.

Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Fundamentals of Information Systems, Second Edition 1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9.

Fundamentals of Information Systems, Second Edition 1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9.
Chapter 9 Information Systems Ethics, Computer Crime, and Security.

Chapter 9 Information Systems Ethics, Computer Crime, and Security.
Chapter 9 Information Systems Ethics, Computer Crime, and Security

Chapter 9 Information Systems Ethics, Computer Crime, and Security
Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.

Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security

Similar presentations

Ads by Google