8.securing Information Systems
8.securing Information Systems
8.securing Information Systems
Chapter 8
Usman Naeem
Introduction
Explain why information systems are vulnerable to destruction, error, and abuse. Assess the business value of security and control.
Security:
Policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems
Controls:
Methods, policies, and organizational procedures that ensure safety of organizations assets; accuracy and reliability of its accounting records; and operational adherence to management standards
Software problems
Programming errors, installation errors, unauthorized changes)
Disasters
Power failures, flood, fires, etc.
Figure 8.1
Contemporary Security Challenges and Vulnerabilities
Internet Vulnerability
Network open to anyone Size of Internet means abuses can have wide impact Use of fixed Internet addresses with permanent connections to Internet eases identification by hackers E-mail attachments E-mail used for transmitting trade secrets IM messages lack security, can be easily intercepted
Figure 8.2
Wi-Fi Security Challenges
Who should be held liable for the losses caused by the use of fraudulent credit cards in this case? The banks issuing the cards or the consumers? Justify your answer.
What solutions would you suggest to prevent the problems?
Computer Crime
Defined as any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution Computer may be target of crime, e.g.:
Breaching confidentiality of protected computerized data Accessing a computer system without authority
Computer may be instrument of crime, e.g.:
Identity theft: Theft of personal Information (social security id, drivers license or credit card numbers) to impersonate someone else Phishing: Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data. Evil twins: Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
Pharming: Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser
Click fraud
Computer program clicks online ad without any intention of learning more or making a purchase
Social engineering:
Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information
Software Vulnerability
Commercial software contains flaws that create security vulnerabilities
Hidden bugs (program code defects)
Zero defects cannot be achieved because complete testing is not possible with large programs
Patches
Vendors release small pieces of software to repair flaws However, amount of software in use can mean exploits created faster than patches be released and implemented
Electronic evidence
Evidence for white collar crimes often found in digital form
Data stored on computer devices, e-mail, instant messages, e-commerce transactions
Proper control of data can save time, money when responding to legal discovery request Computer forensics:
Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law
Includes recovery of ambient and hidden data
Security Policy
Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals Drives other policies
Acceptable use policy (AUP): Defines acceptable uses of firms information resources and computing equipment Authorisation policies: Determine differing levels of user access to information assets
Risk Assessment
LOSS RANGE (AVERAGE) $5K - $200K ($102,500) $1K - $50K ($25,500) $200 - $40K ($20,100)
Disaster recovery planning: Devises plans for restoration of disrupted services Business continuity planning: Focuses on restoring business operations after disaster
Both types of plans needed to identify firms most critical systems and business processes
Business impact analysis to determine impact of an outage Management must determine Maximum time systems can be down Which systems must be restored first
Security Profiles
MIS Audit
Examines firms overall security environment as well as controls governing individual information systems Reviews technologies, procedures, documentation, training, and personnel
May even simulate disaster to test response of technology, IS staff, other employees
Lists and ranks all control weaknesses and estimates probability of their occurrence Assesses financial and organizational impact of each threat
Intrusion detection systems: Monitor vulnerable points on networks to detect and deter intruders
Examines events as they are happening to discover attacks in progress Scans network to find patterns indicative of attacks
VPNs
Web content filtering Antispam software
Encryption:
Transforming text or data into cipher text that cannot be read by unintended recipients
Contain redundant hardware, software, and power supply components to provide continuous, uninterrupted service
High-availability computing
Helps recover quickly from crash