Presentation is loading. Please wait.

Presentation is loading. Please wait.

8.1 CSC 601 Management Information Systems Chapter 8 Securing Information Systems.

Published byDaisy Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "8.1 CSC 601 Management Information Systems Chapter 8 Securing Information Systems."— Presentation transcript:

1 8.1 CSC 601 Management Information Systems Chapter 8 Securing Information Systems

2 8.2 Topics System vulnerability and abuse Business value of security and control Establishing a framework for security and control Technologies & tools for security

3 8.3 System Vulnerability and Control Security –Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems Controls –Methods, policies, and organizational procedures that ensure: Safety of organization’s assets Accuracy and reliability of accounting records Operational adherence to management standards

4 8.4 Why Systems are Vulnerable Electronic data vulnerable to more types of threats than manual data Networks –Potential for unauthorized access, abuse, or fraud is not limited to single location but can occur at any access point in network –Vulnerabilities exist at each layer and between layers –E.g. user error, viruses, hackers, radiation, hardware or software failure, theft

5 8.5 Contemporary Security Challenges

6 8.6 Internet Vulnerabilities Public network, so it is open to anyone Size of Internet means abuses may have widespread impact Fixed IP addresses are fixed target for hackers VoIP phone service vulnerable to interception E-mail, instant messaging vulnerable to malicious software, interception

7 8.7 Wireless Security Challenges Many home networks and public hotspots open to anyone, so not secure, communication unencrypted (between client and server) LANs using 802.11 standard (Wi-Fi) can be easily penetrated Initial Wi-Fi security standard (WEP) not very effective as access point and all users share same password. Manufacturers are working on increasing the security with encryption and authentication

8 8.8 Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an address to access the resources of a network without authorization. Wi-Fi Security Challenges

9 8.9 Malicious Software (Malware) Virus: –Designed to infiltrate or damage a computer system without the owner's informed consent. –Attaches to other programs or data files Worm: –Independent program that copies itself over network Spread via: –Downloaded software files –e-mail attachments –Infected e-mail messages or instant messages –Infected disks or machines

10 8.10 Malicious Software Trojan horse –Software program that appears to be benign but then does something other than expected –Does not replicate but often is way for viruses or malicious code to enter computer system Spyware –Small programs installed surreptitiously on computers to monitor user Web surfing activity and serve advertising Key loggers –Record and transmit every keystroke on computer –Steal serial numbers, passwords

11 8.11 Hackers and Cybervandalism Hacker –Individual who intends to gain unauthorized access to computer system –Cracker is a hacker with criminal intent Cybervandalism –Intentional disruption, defacement, or destruction of Web site or corporate information system Sniffer –Eavesdropping program that monitors information traveling over network

12 8.12 Hackers and Cybervandalism Denial-of-service (DoS) attack: –Flooding network or Web server with thousands of false requests so as to crash or slow network Distributed denial-of-service (DDoS) attack –Uses hundreds or thousands of computers to inundate and overwhelm network from many launch points

13 8.13 Estimates of the average annual worldwide damage from hacking, malware, and spam. World Damage from Digital Attacks

14 8.14 Computer Crime Identity theft –Using key pieces of personal information (social security numbers, driver’s license numbers, or credit card numbers) to impersonate someone else Phishing –Setting up fake Web sites or sending e-mail messages that look like those of legitimate businesses to ask users for confidential personal data Pharming –Redirecting users to bogus Web page, even when individual types correct address into browser

15 8.15 Computer Crime Evil twins –Bogus wireless networks used to offer Internet connections, then to capture passwords or credit card numbers –A new phishing technique Computer Fraud and Abuse Act (1986) –Makes it illegal to access computer system without authorization Cyberterrorism and cyberwarfare –At least 20 countries are believed to be developing offensive and defensive cyberwarfare capabilities

16 8.16 Internal Threats Company insiders (employees) pose serious security problems –Access to inside information (to security codes, passwords) –May leave little trace User lack of knowledge: single greatest cause of network security breaches –Compromised passwords –Social engineering Errors introduced into software by: –Faulty data entry, misuse of system –Mistakes in programming, system design

17 8.17 Software Vulnerability Software vulnerability & errors –Software errors are constant threat to information systems –Cost companies billion each year –Can enable malware to slip past antivirus defenses Patches –Created by software vendors to update and fix vulnerabilities –However, maintaining patches on all firm’s devices is time consuming and evolves more slowly than malware

18 8.18 Topics System vulnerability and abuse Business value of security and control Establishing a framework for security and control Technologies & tools for security

19 8.19 Business Value of Security & Control Protection of confidential corporate and personal information Value of information assets Security breach of large firm results in average loss of 2.1 % of market value Legal liability Electronic Records Management (ERM) –Policies, procedures, and tools for managing retention, destruction, and storage of electronic records –Strict in US now (after Enron, WorldCom scandals)

20 8.20 Electronic Evidence Legal cases today increasingly rely on evidence represented as digital data e-mail most common electronic evidence Courts impose severe financial, even criminal penalties for improper destruction of electronic documents, failure to produce records, and failure to store records properly

21 8.21 Computer Forensics Scientific collection, examination, authentication, preservation, and analysis of data on computer storage media so that it can be used as evidence in a court Awareness of computer forensics should be incorporated into firm’s contingency planning process

22 8.22 Topics System vulnerability and abuse Business value of security and control Establishing a framework for security and control Technologies & tools for security

23 8.23 Risk Assessment Determines level of risk to firm if specific activity or process is not properly controlled –Value of information assets –Points of vulnerability –Likely frequency of problem –Potential for damage Once risks are assessed, system builders focus on control points with greatest vulnerability and potential for loss

24 8.24 EXPOSUREPROBABILITY OF OCCURRENCE LOSS RANGE / (AVERAGE) EXPECTED ANNUAL LOSS Power failure 30 % $5,000 - $200,000 ($102.500) $30,750 Embezzlement 5 % $1,000 - $50,000 ($25,500) $1,275 User error 98 % $200 - $40,000 ($20,100) $19,698 Risk Assessment Sample assessment of an online order processing system that processes 30,000 orders/day.

25 8.25 Security Policy The constraints put on users for accessing programs and data Authorization policies –Determine level of access to information assets for different levels of users

26 8.26 Security Profiles for a Personnel System Depending on the security profile, a user would have certain restrictions on access to various systems, locations, or data in an organization. Security Policy

27 8.27 Business Continuity Fault-tolerant computer systems –Ensure 100% availability –Utilize redundant hardware, software, power supply components –Provide continuous, uninterrupted computing service –Critical for online transaction processing High availability computing –Tries to minimize downtime –Helps firms recover quickly from system crash –Utilizes backup servers, distributed processing, high capacity storage, disaster recovery and business continuity plans

28 8.28 Disaster Recovery Planning Restoring computing and communication services after natural or human-induced disaster It includes: –process, policies and procedures for recovery of technology infrastructure critical to an organization Can be outsourced to disaster recovery firms Business continuity planning –Restoring business operations after disaster –Identifies critical business processes and determines how to handle them if systems go down

29 8.29 Auditing MIS audit –Examines firm’s overall security environment as well as controls governing individual information systems Security audit –Reviews technologies, procedures, documentation, training, and personnel Audits –List and rank all control weaknesses –Estimate probability of occurrence –Assess financial and organizational impact of each threat

30 8.30 Sample Auditor’s List of Control Weaknesses This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management. Auditing

31 8.31 Topics System vulnerability and abuse Business value of security and control Establishing a framework for security and control Technologies & tools for security

32 8.32 Technologies & Tools for Security 1.Access control 2.Firewalls 3.IDS 4.Anti-virus systems 5.Securing wireless networks 6.Encryption

33 8.33 1. Access Control Policies and procedures used to prevent improper access to systems by unauthorized insiders and outsiders Users must be authorized and authenticated Authentication: –Typically established by password systems –New authentication technologies: Tokens Smart cards Biometric authentication

34 8.34 2. Firewalls Hardware and software controlling flow of incoming and outgoing network traffic Prevents unauthorized access The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against unauthorized traffic.

35 8.35 3. IDS Intrusion detection systems: –Full-time, real-time monitoring tools –Placed at most vulnerable points of corporate networks to detect and deter intruders –Scanning software looks for patterns such as bad passwords, removal of important files, and notifies administrators

36 8.36 4. Antivirus software Antivirus software –Checks computer systems and drives for presence of computer viruses –To remain effective, they must be continually updated Antispyware software tools –Many leading antivirus software vendors include protection against spyware –Standalone tools available (Ad-Aware, Spybot)

37 8.37 5. Securing Wireless Networks WEP: –Provides some measure of security if activated VPN technology: –Can also be used by corporations to help security 802.11 specification: –Continuous improvements on the standard that tighten security for wireless LANs Wireless security should be accompanied by appropriate policies and procedures for using wireless devices

38 8.38 6. Encryption The translation of data into a secret code The most effective way to secure data To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it –Unencrypted data is called plain text –Encrypted data is referred to as cipher text

39 8.39 6. Encryption Methods for encrypting network traffic –Secure Sockets Layer (SSL) /Transport Layer Security (TLS) Establishes secure connection between two computers –Secure HTTP (S-HTTP) Encrypts individual messages –Digital Signatures –Digital Certicifacates

40 8.40 Messages encrypted with recipient’s public key but can only be decoded with recipient’s private key Public Key Encryption

41 8.41 6. Encryption Digital Signatures: –A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender –Guarantees that the message sender is really who he/she claims to be (like a written signature) Digital Certificates: –An attachment to an electronic message used for security purposes. Certificate Authority: –An organization that people agree to trust. –Issues certificates of authenticity for identifies, software and transactions.

42 8.42 Links & Resources Wireless Internet Security –http://videos.howstuffworks.com/science-channel/5018-its-all- geek-to-me-wireless-internet-security-video.htmhttp://videos.howstuffworks.com/science-channel/5018-its-all- geek-to-me-wireless-internet-security-video.htm

43 8.43 Video Case VeriSign Digital Infrastructure

44 8.44 Key Terms Access control Anti-virus software Audit Authentication Business continuity Computer Forensics Controls Cybervandalism Disaster recovery plan DoS/DDoS Encryption Firewall Hacker High availability computing IDS Identity theft Malware Pharming Phishing Risk assesment Security Security policy Sniffer Spyware Trojan horse Virus Worm

Download ppt "8.1 CSC 601 Management Information Systems Chapter 8 Securing Information Systems."

Similar presentations

Lecture 14 Securing Information Systems

Lecture 14 Securing Information Systems
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Module 2: Information Technology Infrastructure

Module 2: Information Technology Infrastructure
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.

7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.

10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.

7.1 © 2007 by Prentice Hall 7 Chapter Securing Information Systems.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Similar presentations

Ads by Google