Is Security

7/31/2019 Is Security

1/44

Chapter 16 1

Information Technology For Management 6th EditionTurban, Leidner, McLean, Wetherbe

Lecture Slides by L. Beaubien, Providence College

John Wiley & Sons, Inc.

Managing Information

Resources and Security


2/44

Chapter 16 2

Learning Objectives

Recognize the business value of security andcontrol

Understand the role of the IS department and itsrelationships with end users.

Discuss the role of the chief privacy officer.

Recognize information systems vulnerability,

threats, attack methods, and the possiblesymptoms of attack.


3/44

Chapter 16 3

Learning Objectives(Continued)

Describe the major methods of defendinginformation systems.

Describe internal control and fraud. Describe the security issues of the Web and

electronic commerce.

Describe business continuity and disaster recoveryplanning.

Understand the role of computer forensics ininvestigating and deterring security.


4/44

Chapter 16 4

Security & the Enterprise


5/44

Chapter 16 5

IS Vulnerability


6/44

Chapter 16 6

How a virus works


7/44

Chapter 16 7

Threats to Information Security

A threat to an information resource is anydanger to which a system may be exposed.

The exposure of an information resources is the

harm, loss or damage that can result if a threatcompromises that resource.

A systems vulnerability is the possibility thatthe system will suffer harm by a threat.

Risk is the likelihood that a threat will occur. Information system controls are the

procedures, devices, or software aimed atpreventing a compromise to the system.


8/44

Chapter 16 8

Unintentional Threats

Human errorscan occur in the design of thehardware and/or information system.

Also can occur in programming, testing, data

collection, data entry, authorization andprocedures.

Contribute to more than 50% of control andsecurity-related problems in organizations.


9/44

Chapter 16 9

Unintentional Threats(Continued)

Environmental hazardsinclude earthquakes,severe storms, floods, power failures or strongfluctuations, fires (most common hazard),

explosions, etc.Computer system failurescan occur as the

result of poor manufacturing or defectivematerials.


10/44

Chapter 16 10

Intentional Threats

Typically, criminal in nature.

Cybercrimes are fraudulent activities committedusing computers and communications networks,

particularly the Internet.Average cybercrime involves about $600,000

according to FBI.


11/44

Chapter 16 11

Intentional Threats (Continued)

Hacker.An outside person who has penetrateda computer system, usually with no criminalintent.

Cracker.A malicious hacker.

Social engineering. Computer criminals orcorporate spies get around security systems bybuilding an inappropriate trust relationship with

insiders.


12/44

Chapter 16 12

Espionage or Trespass

The act of gaining access to the information anorganization is trying to protect by anunauthorized individual.

Industrial espionageoccurs in areas where

researching information about the competitiongoes beyond the legal limits.

Governments practice industrial espionageagainst companies in other countries.

Shoulder surfingis looking at a computermonitor or ATM screen over another personsshoulder.


13/44

Chapter 16 13

System Vulnerability

A universal vulnerability is a state in a computingsystem which either: allows an attacker to executecommands as another user; allows an attacker toaccess data that is contrary to the access restrictionsfor that data; allows an attacker to pose as another

entity; or allows an attacker to conduct a denial ofservice.

An exposure is a state in a computing system (or setof systems) which is not a universal vulnerability, buteither: allows an attacker to conduct information

gathering activities; allows an attacker to hideactivities; includes a capability that behaves asexpected, but can be easily compromised; is a primarypoint of entry that an attacker may attempt to use togain access to the system or data; and is considered aproblem according to some reasonable security policy.


14/44

Chapter 16 14

Protecting Privacy

Privacy. The right to be left alone and to be free ofunreasonable personal intrusions.

Two rules have been followed fairly closely in past courtdecision in many countries:The right of privacy is not absolutes. Privacy must be

balanced against the needs of societyThe publics right to know is superior to the individuals

right of privacy.

ElectronicSurveillance. The tracking of peoplesactivities, online or offline, with the aid of computers.

Personal Information in Databases. Information aboutindividuals is being kept in many databases: banks,utilities co., govt. agencies, etc.; the most visiblelocations are credit-reporting agencies.


15/44

Chapter 16 15

Protecting Privacy (Continued)

Information on Internet Bulletin Boards andNewsgroups. Electronic discussionssuch as chatrooms and these other sites appear on the Internet,within corporate intranets, and on blogs.

A blog(Weblog) is an informal, personal journal that isfrequently updated and intended for general publicreading.

Privacy Codes and Policies.An organizationsguidelines with respect to protecting the privacy of

customers, clients, and employees. International Aspects of Privacy. Privacy issues that

international organizations and governments face wheninformation spans countries and jurisdictions.


16/44

Chapter 16 16

Information Extortion

When an attacker or formerly trusted employeesteal information from a computer system andthen demands compensation for its return or an

agreement not to disclose it.


17/44

Chapter 16 17

Sabotage or Vandalism

A popular type of online vandalism is hacktivistorcyberactivistactivities.

Hacktivistorcyberactivistuse technology for

high-tech civil disobedience to protestoperations, policies, or actions of an individual,an organization, or a government agency.


18/44

Chapter 16 18

Sabotage or Vandalism(Continued)

Cyberterrorism is a premeditated, politicallymotivated attack against information, computersystems, computer programs, and data thatresults in violence against noncombatant targets

by subnational groups or clandestine agents.Cyberwar. War in which a countrys information

systems could be paralyzed from a massiveattack by destructive software.

Theft is the illegal taking of property thatbelongs to another individual or organization.


19/44

Chapter 16 19

Identity Theft

Crime in which someone uses the personalinformation of others, usually obtained from theInternet, to create a false identity and then

commits fraud. Fastest growing white-collar crime.

Biggest problem is restoring victims damaged

credit rating.


20/44

Chapter 16 20

Software Attacks

Malicious software(malware) designed todamage, destroy, or deny service to the targetedsystems.

Most common types of software attacks areviruses, worms, Trojan horses, logic bombs,back doors, denial-of-service, alien software,phishing and pharming.


21/44

Chapter 16 21

Software Attacks (Continued)

Viruses. Segments of computer code thatperforms unintended actions ranging frommerely annoying to destructive.

Worms. Destructive programs that replicatethemselves without requiring another program toprovide a safe environment for replication.

Trojan horses. Software progams that hide in

other computer programs and reveal theirdesigned behavior only when they are activated.


22/44

Chapter 16 22

Software Attacks (Continued)

Logic bombs. Designed to activate andperform a destructive action at a certain time.

Back doors or trap doors. Typically a

password, known only to the attacker, thatallows access to the system without having to gothrough any security.

Denial-of-service. An attacker sends so many

information requests to a target system that thetarget cannot handle them successfully and cancrash the entire system.


23/44

Chapter 16 23

Alien Software

Pestware. Clandestine software that uses upvaluable system resources and can report onyour Web surfing habits and other personal

information.Adware. Designed to help popup

advertisements appear on your screen.

Spyware. Software that gathers user informationthrough the users Internet connection without

their knowledge (i.e. keylogger, passwordcapture).


24/44

Chapter 16 24

Alien Software (Continued)

Spamware. Designed to use your computer as alaunch pad for spammers.

Spam. Unsolicited e-mail, usually for purposes

of advertising.Cookies. Small amount of information that Web

sites store on your computer, temporarily ormore-or-less permanently.


25/44

Chapter 16 25

Alien Software (Continued)

Web bugs. Small, usually invisible, graphicimages that are added to a Web page or e-mail.

Phishing. Uses deception to fraudulentlyacquire sensitive personal information such as

account numbers and passwords disguised asan official-looking e-mail. Pharming. Fraudulently acquires the Domain

Name for a companys Web site and when

people type in the Web site url they areredirected to a fake Web site.


26/44

Chapter 16 26

Compromises to Intellectual Property

Intellectual property. Property created byindividuals or corporations which is protectedundertrade secret, patent, and copyrightlaws.

Trade secret. Intellectual work, such as abusiness plan, that is a company secret and isnot based on public information.

Patent. Document that grants the holderexclusive rights on an invention or process for20 years.


27/44

Chapter 16 27

Compromises to Intellectual Property(Continued)

Copyright. Statutory grant that providescreators of intellectual property with ownershipof the property for life of the creator plus 70

years. Piracy. Copying a software program without

making payment to the owner.


28/44

Chapter 16 28

Corporate Security Plan - Protecting


29/44

Chapter 16 29

Defense Strategy - Controls


30/44

Chapter 16 30

Controls

Controls evaluation. Identifies securitydeficiencies and calculates the costs ofimplementing adequate control measures.

General controls. Established to protect the

system regardless of their application.Physical controls. Physical protection of computer

facilities and resources.Access controls. Restriction of unauthorized user

access to computer resources; use biometrics and

passwords controls for user identification.


31/44

Chapter 16 31

Controls (Continued)

Communications (networks) controls. Toprotect the movement of data across networksand include border security controls,

authentication and authorization.Firewalls. System that enforces access-control policy

between two networks.

Encryption. Process of converting an original

message into a form that cannot be read by anyoneexcept the intended receiver.


32/44

Chapter 16 32


All encryption systems use a key.

Symmetric encryption. Sender and therecipient use the same key.

Public-key encryption. Uses two different keys:a public key and a private key.

Certificate authority. Asserts that each

computer is identified accurately and providesthe public keys to each computer.


33/44

Chapter 16 33


Virtual Private Networking. Uses the Internetto carry information within a company andamong business partners but with increasedsecurity by uses of encryption, authentication

and access control.Application controls. Controls that protect

specific applications and include: input,processing and output controls.


34/44

Chapter 16 34


Information systems auditing. Independent orunbiased observers task to ensure thatinformation systems work properly.

Types of Auditors and AuditsInternal. Performed by corporate internal auditors.

External. Reviews internal audit as well as the inputs,processing and outputs of information systems.

Audit. Examination of information systems, their

inputs, outputs and processing.


35/44

Chapter 16 35

IS Auditing Procedure

Auditing around the computermeans verifyingprocessing by checking for known outputs orspecific inputs.

Auditing through the computermeans inputs,outputs and processing are checked.

Auditing with the computermeans using acombination of client data, auditor software, and

client and auditor hardware.


36/44

Chapter 16 36

Auditing

Implementing controls in an organization can be very complicated and difficult toenforce. Are controls installed as intended? Are they effective? Did any breach ofsecurity occur? These and other questions need to be answered by independent andunbiased observers. Such observers perform an auditingtask.

There are two types of auditors:

An internal auditoris usually a corporate employee who is not amember of the ISD.

An external auditoris a corporate outsider. This type of auditorreviews the findings of the internal audit.

There are two types of audits.

The operational auditdetermines whether the ISD is workingproperly.

The compliance auditdetermines whether controls have beenimplemented properly and are adequate.


37/44

Chapter 16 37

Protecting Information Resources

Risk. The probability that a threat will impact aninformation resource.

Risk management. To identify, control and

minimize the impact of threats.Risk analysis. To assess the value of each

asset being protected, estimate the probability itmight be compromised, and compare the

probable costs of it being compromised with thecost of protecting it.


38/44

Chapter 16 38

Protecting Information Resources(Continued)

Risk mitigation is when the organization takesconcrete actions against risk. It has twofunctions:

(1) implement controls to prevent identifiedthreats from occurring, and

(2) developing a means of recovery shouldthe threat become a reality.


39/44

Chapter 16 39

Risk Mitigation Strategies

Risk Acceptance.Accept the potential risk,continue operating with no controls, and absorbany damages that occur.

Risk limitation. Limit the risk by implementingcontrols that minimize the impact of threat.

Risk transference. Transfer the risk by usingother means to compensate for the loss, such as

purchasing insurance.


40/44

Chapter 16 40

Disaster Recovery Planning

Disaster recovery. The chain of events linkingplanning to protection to recovery, disasterrecovery plan.

Disaster avoidance. Oriented towardsprevention, uninterrupted power supply (UPS).

Hot sites. External data center that is fullyconfigured and has copies of the organizations

data and programs.


41/44

Chapter 16 41

Business Continuity

An important element in any security system is the business continuity plan,also known as the disaster recovery plan. Such a plan outlines the processby which businesses should recover from a major disaster.

The purpose of a business continuity plan is to keep the business running

after a disaster occurs.Recovery planning is part of asset protection.

Planning should focus on recovery from a total loss of all capabilities.

Proof of capability usually involves some kind of what-if analysis that

shows that the recovery plan is current.All critical applications must be identified and their recovery procedures

addressed.

The plan should be written so that it will be effective in case of disaster.


42/44

Chapter 16 42

Managerial Issues

What is the business value of IT security andcontrol?

Why are these legal obligations?

How important is IT security to management

IT security and internal control must beimplemented top-down

Acceptable use policies


43/44

Chapter 16 43

Managerial Issues (Continued)

Digital assets are relied upon for competitiveadvantage

What does risk management involve What are the impacts of IT security breaches

Federal and State regulations

Internal Control and Computer Forensics


44/44

Chapter 16 44

Chapter 16

Copyright 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction ortranslation of this work beyond that permitted in Section 117 of the 1976 United

States Copyright Act without the express written permission of the copyrightowner is unlawful. Request for further information should be addressed to thePermissions Department, John Wiley & Sons, Inc. The purchaser may makeback-up copies for his/her own use only and not for distribution or resale. ThePublisher assumes no responsibility for errors, omissions, or damages, caused

by the use of these programs or from the use of the information containedherein.

Is Security

Documents

Transcript of Is Security