Is Security
-
Upload
aditya-kumar-agarwal -
Category
Documents
-
view
216 -
download
0
Transcript of Is Security
-
7/31/2019 Is Security
1/44
Chapter 16 1
Information Technology For Management 6th EditionTurban, Leidner, McLean, Wetherbe
Lecture Slides by L. Beaubien, Providence College
John Wiley & Sons, Inc.
Managing Information
Resources and Security
-
7/31/2019 Is Security
2/44
Chapter 16 2
Learning Objectives
Recognize the business value of security andcontrol
Understand the role of the IS department and itsrelationships with end users.
Discuss the role of the chief privacy officer.
Recognize information systems vulnerability,
threats, attack methods, and the possiblesymptoms of attack.
-
7/31/2019 Is Security
3/44
Chapter 16 3
Learning Objectives(Continued)
Describe the major methods of defendinginformation systems.
Describe internal control and fraud. Describe the security issues of the Web and
electronic commerce.
Describe business continuity and disaster recoveryplanning.
Understand the role of computer forensics ininvestigating and deterring security.
-
7/31/2019 Is Security
4/44
Chapter 16 4
Security & the Enterprise
-
7/31/2019 Is Security
5/44
Chapter 16 5
IS Vulnerability
-
7/31/2019 Is Security
6/44
Chapter 16 6
How a virus works
-
7/31/2019 Is Security
7/44
Chapter 16 7
Threats to Information Security
A threat to an information resource is anydanger to which a system may be exposed.
The exposure of an information resources is the
harm, loss or damage that can result if a threatcompromises that resource.
A systems vulnerability is the possibility thatthe system will suffer harm by a threat.
Risk is the likelihood that a threat will occur. Information system controls are the
procedures, devices, or software aimed atpreventing a compromise to the system.
-
7/31/2019 Is Security
8/44
Chapter 16 8
Unintentional Threats
Human errorscan occur in the design of thehardware and/or information system.
Also can occur in programming, testing, data
collection, data entry, authorization andprocedures.
Contribute to more than 50% of control andsecurity-related problems in organizations.
-
7/31/2019 Is Security
9/44
Chapter 16 9
Unintentional Threats(Continued)
Environmental hazardsinclude earthquakes,severe storms, floods, power failures or strongfluctuations, fires (most common hazard),
explosions, etc.Computer system failurescan occur as the
result of poor manufacturing or defectivematerials.
-
7/31/2019 Is Security
10/44
Chapter 16 10
Intentional Threats
Typically, criminal in nature.
Cybercrimes are fraudulent activities committedusing computers and communications networks,
particularly the Internet.Average cybercrime involves about $600,000
according to FBI.
-
7/31/2019 Is Security
11/44
Chapter 16 11
Intentional Threats (Continued)
Hacker.An outside person who has penetrateda computer system, usually with no criminalintent.
Cracker.A malicious hacker.
Social engineering. Computer criminals orcorporate spies get around security systems bybuilding an inappropriate trust relationship with
insiders.
-
7/31/2019 Is Security
12/44
Chapter 16 12
Espionage or Trespass
The act of gaining access to the information anorganization is trying to protect by anunauthorized individual.
Industrial espionageoccurs in areas where
researching information about the competitiongoes beyond the legal limits.
Governments practice industrial espionageagainst companies in other countries.
Shoulder surfingis looking at a computermonitor or ATM screen over another personsshoulder.
-
7/31/2019 Is Security
13/44
Chapter 16 13
System Vulnerability
A universal vulnerability is a state in a computingsystem which either: allows an attacker to executecommands as another user; allows an attacker toaccess data that is contrary to the access restrictionsfor that data; allows an attacker to pose as another
entity; or allows an attacker to conduct a denial ofservice.
An exposure is a state in a computing system (or setof systems) which is not a universal vulnerability, buteither: allows an attacker to conduct information
gathering activities; allows an attacker to hideactivities; includes a capability that behaves asexpected, but can be easily compromised; is a primarypoint of entry that an attacker may attempt to use togain access to the system or data; and is considered aproblem according to some reasonable security policy.
-
7/31/2019 Is Security
14/44
Chapter 16 14
Protecting Privacy
Privacy. The right to be left alone and to be free ofunreasonable personal intrusions.
Two rules have been followed fairly closely in past courtdecision in many countries:The right of privacy is not absolutes. Privacy must be
balanced against the needs of societyThe publics right to know is superior to the individuals
right of privacy.
ElectronicSurveillance. The tracking of peoplesactivities, online or offline, with the aid of computers.
Personal Information in Databases. Information aboutindividuals is being kept in many databases: banks,utilities co., govt. agencies, etc.; the most visiblelocations are credit-reporting agencies.
-
7/31/2019 Is Security
15/44
Chapter 16 15
Protecting Privacy (Continued)
Information on Internet Bulletin Boards andNewsgroups. Electronic discussionssuch as chatrooms and these other sites appear on the Internet,within corporate intranets, and on blogs.
A blog(Weblog) is an informal, personal journal that isfrequently updated and intended for general publicreading.
Privacy Codes and Policies.An organizationsguidelines with respect to protecting the privacy of
customers, clients, and employees. International Aspects of Privacy. Privacy issues that
international organizations and governments face wheninformation spans countries and jurisdictions.
-
7/31/2019 Is Security
16/44
Chapter 16 16
Information Extortion
When an attacker or formerly trusted employeesteal information from a computer system andthen demands compensation for its return or an
agreement not to disclose it.
-
7/31/2019 Is Security
17/44
Chapter 16 17
Sabotage or Vandalism
A popular type of online vandalism is hacktivistorcyberactivistactivities.
Hacktivistorcyberactivistuse technology for
high-tech civil disobedience to protestoperations, policies, or actions of an individual,an organization, or a government agency.
-
7/31/2019 Is Security
18/44
Chapter 16 18
Sabotage or Vandalism(Continued)
Cyberterrorism is a premeditated, politicallymotivated attack against information, computersystems, computer programs, and data thatresults in violence against noncombatant targets
by subnational groups or clandestine agents.Cyberwar. War in which a countrys information
systems could be paralyzed from a massiveattack by destructive software.
Theft is the illegal taking of property thatbelongs to another individual or organization.
-
7/31/2019 Is Security
19/44
Chapter 16 19
Identity Theft
Crime in which someone uses the personalinformation of others, usually obtained from theInternet, to create a false identity and then
commits fraud. Fastest growing white-collar crime.
Biggest problem is restoring victims damaged
credit rating.
-
7/31/2019 Is Security
20/44
Chapter 16 20
Software Attacks
Malicious software(malware) designed todamage, destroy, or deny service to the targetedsystems.
Most common types of software attacks areviruses, worms, Trojan horses, logic bombs,back doors, denial-of-service, alien software,phishing and pharming.
-
7/31/2019 Is Security
21/44
Chapter 16 21
Software Attacks (Continued)
Viruses. Segments of computer code thatperforms unintended actions ranging frommerely annoying to destructive.
Worms. Destructive programs that replicatethemselves without requiring another program toprovide a safe environment for replication.
Trojan horses. Software progams that hide in
other computer programs and reveal theirdesigned behavior only when they are activated.
-
7/31/2019 Is Security
22/44
Chapter 16 22
Software Attacks (Continued)
Logic bombs. Designed to activate andperform a destructive action at a certain time.
Back doors or trap doors. Typically a
password, known only to the attacker, thatallows access to the system without having to gothrough any security.
Denial-of-service. An attacker sends so many
information requests to a target system that thetarget cannot handle them successfully and cancrash the entire system.
-
7/31/2019 Is Security
23/44
Chapter 16 23
Alien Software
Pestware. Clandestine software that uses upvaluable system resources and can report onyour Web surfing habits and other personal
information.Adware. Designed to help popup
advertisements appear on your screen.
Spyware. Software that gathers user informationthrough the users Internet connection without
their knowledge (i.e. keylogger, passwordcapture).
-
7/31/2019 Is Security
24/44
Chapter 16 24
Alien Software (Continued)
Spamware. Designed to use your computer as alaunch pad for spammers.
Spam. Unsolicited e-mail, usually for purposes
of advertising.Cookies. Small amount of information that Web
sites store on your computer, temporarily ormore-or-less permanently.
-
7/31/2019 Is Security
25/44
Chapter 16 25
Alien Software (Continued)
Web bugs. Small, usually invisible, graphicimages that are added to a Web page or e-mail.
Phishing. Uses deception to fraudulentlyacquire sensitive personal information such as
account numbers and passwords disguised asan official-looking e-mail. Pharming. Fraudulently acquires the Domain
Name for a companys Web site and when
people type in the Web site url they areredirected to a fake Web site.
-
7/31/2019 Is Security
26/44
Chapter 16 26
Compromises to Intellectual Property
Intellectual property. Property created byindividuals or corporations which is protectedundertrade secret, patent, and copyrightlaws.
Trade secret. Intellectual work, such as abusiness plan, that is a company secret and isnot based on public information.
Patent. Document that grants the holderexclusive rights on an invention or process for20 years.
-
7/31/2019 Is Security
27/44
Chapter 16 27
Compromises to Intellectual Property(Continued)
Copyright. Statutory grant that providescreators of intellectual property with ownershipof the property for life of the creator plus 70
years. Piracy. Copying a software program without
making payment to the owner.
-
7/31/2019 Is Security
28/44
Chapter 16 28
Corporate Security Plan - Protecting
-
7/31/2019 Is Security
29/44
Chapter 16 29
Defense Strategy - Controls
-
7/31/2019 Is Security
30/44
Chapter 16 30
Controls
Controls evaluation. Identifies securitydeficiencies and calculates the costs ofimplementing adequate control measures.
General controls. Established to protect the
system regardless of their application.Physical controls. Physical protection of computer
facilities and resources.Access controls. Restriction of unauthorized user
access to computer resources; use biometrics and
passwords controls for user identification.
-
7/31/2019 Is Security
31/44
Chapter 16 31
Controls (Continued)
Communications (networks) controls. Toprotect the movement of data across networksand include border security controls,
authentication and authorization.Firewalls. System that enforces access-control policy
between two networks.
Encryption. Process of converting an original
message into a form that cannot be read by anyoneexcept the intended receiver.
-
7/31/2019 Is Security
32/44
Chapter 16 32
Controls (Continued)
All encryption systems use a key.
Symmetric encryption. Sender and therecipient use the same key.
Public-key encryption. Uses two different keys:a public key and a private key.
Certificate authority. Asserts that each
computer is identified accurately and providesthe public keys to each computer.
-
7/31/2019 Is Security
33/44
Chapter 16 33
Controls (Continued)
Virtual Private Networking. Uses the Internetto carry information within a company andamong business partners but with increasedsecurity by uses of encryption, authentication
and access control.Application controls. Controls that protect
specific applications and include: input,processing and output controls.
-
7/31/2019 Is Security
34/44
Chapter 16 34
Controls (Continued)
Information systems auditing. Independent orunbiased observers task to ensure thatinformation systems work properly.
Types of Auditors and AuditsInternal. Performed by corporate internal auditors.
External. Reviews internal audit as well as the inputs,processing and outputs of information systems.
Audit. Examination of information systems, their
inputs, outputs and processing.
-
7/31/2019 Is Security
35/44
Chapter 16 35
IS Auditing Procedure
Auditing around the computermeans verifyingprocessing by checking for known outputs orspecific inputs.
Auditing through the computermeans inputs,outputs and processing are checked.
Auditing with the computermeans using acombination of client data, auditor software, and
client and auditor hardware.
-
7/31/2019 Is Security
36/44
Chapter 16 36
Auditing
Implementing controls in an organization can be very complicated and difficult toenforce. Are controls installed as intended? Are they effective? Did any breach ofsecurity occur? These and other questions need to be answered by independent andunbiased observers. Such observers perform an auditingtask.
There are two types of auditors:
An internal auditoris usually a corporate employee who is not amember of the ISD.
An external auditoris a corporate outsider. This type of auditorreviews the findings of the internal audit.
There are two types of audits.
The operational auditdetermines whether the ISD is workingproperly.
The compliance auditdetermines whether controls have beenimplemented properly and are adequate.
-
7/31/2019 Is Security
37/44
Chapter 16 37
Protecting Information Resources
Risk. The probability that a threat will impact aninformation resource.
Risk management. To identify, control and
minimize the impact of threats.Risk analysis. To assess the value of each
asset being protected, estimate the probability itmight be compromised, and compare the
probable costs of it being compromised with thecost of protecting it.
-
7/31/2019 Is Security
38/44
Chapter 16 38
Protecting Information Resources(Continued)
Risk mitigation is when the organization takesconcrete actions against risk. It has twofunctions:
(1) implement controls to prevent identifiedthreats from occurring, and
(2) developing a means of recovery shouldthe threat become a reality.
-
7/31/2019 Is Security
39/44
Chapter 16 39
Risk Mitigation Strategies
Risk Acceptance.Accept the potential risk,continue operating with no controls, and absorbany damages that occur.
Risk limitation. Limit the risk by implementingcontrols that minimize the impact of threat.
Risk transference. Transfer the risk by usingother means to compensate for the loss, such as
purchasing insurance.
-
7/31/2019 Is Security
40/44
Chapter 16 40
Disaster Recovery Planning
Disaster recovery. The chain of events linkingplanning to protection to recovery, disasterrecovery plan.
Disaster avoidance. Oriented towardsprevention, uninterrupted power supply (UPS).
Hot sites. External data center that is fullyconfigured and has copies of the organizations
data and programs.
-
7/31/2019 Is Security
41/44
Chapter 16 41
Business Continuity
An important element in any security system is the business continuity plan,also known as the disaster recovery plan. Such a plan outlines the processby which businesses should recover from a major disaster.
The purpose of a business continuity plan is to keep the business running
after a disaster occurs.Recovery planning is part of asset protection.
Planning should focus on recovery from a total loss of all capabilities.
Proof of capability usually involves some kind of what-if analysis that
shows that the recovery plan is current.All critical applications must be identified and their recovery procedures
addressed.
The plan should be written so that it will be effective in case of disaster.
-
7/31/2019 Is Security
42/44
Chapter 16 42
Managerial Issues
What is the business value of IT security andcontrol?
Why are these legal obligations?
How important is IT security to management
IT security and internal control must beimplemented top-down
Acceptable use policies
-
7/31/2019 Is Security
43/44
Chapter 16 43
Managerial Issues (Continued)
Digital assets are relied upon for competitiveadvantage
What does risk management involve What are the impacts of IT security breaches
Federal and State regulations
Internal Control and Computer Forensics
-
7/31/2019 Is Security
44/44
Chapter 16 44
Chapter 16
Copyright 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction ortranslation of this work beyond that permitted in Section 117 of the 1976 United
States Copyright Act without the express written permission of the copyrightowner is unlawful. Request for further information should be addressed to thePermissions Department, John Wiley & Sons, Inc. The purchaser may makeback-up copies for his/her own use only and not for distribution or resale. ThePublisher assumes no responsibility for errors, omissions, or damages, caused
by the use of these programs or from the use of the information containedherein.