12/4/2021

SYSTEMS
SECURITY

Haryudi Anas, S.E. M.S.M.

1
 12/4/2021

Learning Objectives
● Why are information systems
vulnerable to destruction, error,
and abuse?
● What is the business value of
security and control?
● What are the components of an
organizational framework for
SECURITY security and control?
● What are the most important tools
and technologies for safeguarding
information resources?

System Vulnerability and Abuse

Security:
Policies, procedures and technical measures
used to prevent unauthorized access,
alteration, theft, or physical damage to
information systems

Controls:
Methods, policies, and organizational
procedures that ensure safety of organization’s
assets; accuracy and reliability of its
accounting records; and operational adherence
to management standards

2
 12/4/2021

System Vulnerability and Abuse

Spoofing:
Misrepresenting oneself by using fake e-mail
addresses or masquerading as someone else
Redirecting Web link to address different from
intended one, with site masquerading as
intended destination

Sniffer:
Eavesdropping program that monitors
information traveling over network
Enables hackers to steal proprietary information
such as e-mail, company files, etc.

Why systems are vulnerable

• Accessibility of networks
• Hardware problems (breakdowns, configuration
errors, damage from improper use or crime)
• Software problems (programming errors, installation
errors, unauthorized changes)
• Disasters
• Use of networks/computers outside of firm’s control
• Loss and theft of portable devices

3
 12/4/2021

Contemporary Security Challange and Vulnerabilities

FIGURE 8-1 The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked
to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and
other electrical problems can cause disruptions at any point in the network.

Internet Vulnerabilities

• Network open to anyone

• Size of Internet means abuses can have
wide impact
• Use of fixed Internet addresses with cable
or DSL modems creates fixed targets
hackers
• Unencrypted VOIP
• E-mail, P2P, IM
• Interception
• Attachments with malicious software
• Transmitting trade secrets

4
 12/4/2021

Wireless security challenges

• Radio frequency bands easy to scan

• SSIDs (service set identifiers)
• Identify access points
• Broadcast multiple times
• War driving
Eavesdroppers drive by buildings and
try to detect SSID and gain access to
network and resources

Many Wi-Fi networks can be penetrated easily

by intruders using sniffer programs to obtain an
address to access the resources of a network
without authorization.

Malware (malicious software)

Viruses SQL injection attacks

Rogue software program that Hackers submit data to Web forms that
attaches itself to other software exploits site’s unprotected software
programs or data files in order to be and sends rogue SQL query to
executed database

Worms Spyware
Independent computer programs Small programs install themselves
that copy themselves from one surreptitiously on computers to
computer to other computers over a monitor user Web surfing activity and
network. serve up advertising

Trojan horses Key loggers

Software program that appears to be Record every keystroke on computer
benign but then does something to steal serial numbers, passwords,
other than expected. launch Internet attacks 10

5
 12/4/2021

Hackers and Computer Crime

• Hackers vs. crackers

• Activities include
• System intrusion
• System damage
• Cyber vandalism
Intentional disruption, defacement,
destruction of Web site or corporate
information system

Hackers and Computer Crime

• Computer crime
Defined as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration,
investigation, or prosecution”
• Computer may be target of crime, e.g.:
• Breaching confidentiality of protected computerized data
• Accessing a computer system without authority
• Computer may be instrument of crime, e.g.:
• Theft of trade secrets
• Using e-mail for threats or harassment

6
 12/4/2021

Internal threats: employees

• Security threats often originate inside an

organization
• Inside knowledge
• Sloppy security procedures
User lack of knowledge
• Social engineering:
Tricking employees into revealing their
passwords by pretending to be legitimate
members of the company in need of
information

Business Value of Security and Control

• Failed computer systems can lead to significant

or total loss of business function
• Firms now more vulnerable than ever
• Confidential personal and financial data
• Trade secrets, new products, strategies
• A security breach may cut into firm’s market
value almost immediately
• Inadequate security and controls also bring
forth issues of liability

7
 12/4/2021

Business Value of Security and Control

Legal and regulatory requirements for electronic

records management and privacy protection
• HIPAA: Medical security and privacy rules and
procedures
• Gramm-Leach-Bliley Act: Requires financial
institutions to ensure the security and
confidentiality of customer data
• Sarbanes-Oxley Act: Imposes responsibility on
companies and their management to safeguard the
accuracy and integrity of financial information that
is used internally and released externally

Business Value of Security and Control

Electronic evidence:
• Evidence for white collar crimes often in digital form
• Data on computers, e-mail, instant messages, e-
commerce transactions
• Proper control of data can save time and money when
responding to legal discovery request

Computer forensics:
• Scientific collection, examination, authentication,
preservation, and analysis of data from computer
storage media for use as evidence in court of law
• Includes recovery of ambient and hidden data

8
 12/4/2021

Establishing a Framework for Security and Control

Information systems controls

• Manual and automated controls
• General and application controls

General controls
• Govern design, security, and use of computer
programs and security of data files in general
throughout organization’s information technology
infrastructure.
• Apply to all computerized applications
• Combination of hardware, software, and manual
procedures to create overall control environment

Establishing a Framework for Security and Control

Types of general controls

• Software controls
• Hardware controls
• Computer operations controls
• Data security controls
• Implementation controls
• Administrative controls

9
 12/4/2021

Establishing a Framework for Security and Control

Security policy
• Ranks information risks, identifies acceptable security
goals, and identifies mechanisms for achieving these
goals
• Drives other policies
• Acceptable use policy (AUP)
Defines acceptable uses of firm’s information
resources and computing equipment
• Authorization policies
Determine differing levels of user access to
information assets

Establishing a Framework for Security and Control

These two examples represent two security
profiles or data security patterns that might be
found in a personnel system. Depending on
the security profile, a user would have certain
restrictions on access to various systems,
locations, or data in an organization.

10
 12/4/2021

Establishing a Framework for Security and Control

• Disaster recovery planning: Devises plans for

restoration of disrupted services

• Business continuity planning: Focuses on restoring

business operations after disaster
• Both types of plans needed to identify firm’s
most critical systems
• Business impact analysis to determine impact of
an outage
• Management must determine which systems
restored first

Technologies and Tools for Protecting Information Resources

Identity management software

• Automates keeping track of all users
and privileges
• Authenticates users, protecting
identities, controlling access

Authentication
• Password systems
• Tokens
• Smart cards
• Biometric authentication

11
 12/4/2021

Technologies and Tools for Protecting Information Resources

Firewall:
• Combination of hardware and software that
prevents unauthorized users from accessing
private networks
• Technologies include:
• Static packet filtering
• Network address translation (NAT)
• Application proxy filtering

Technologies and Tools for Protecting Information Resources

A CORPORATE
FIREWALL

The firewall is placed between the

firm’s private network and the public
Internet or another distrusted
network to protect against
unauthorized
traffic.

FIGURE 8-5

12
 12/4/2021

Technologies and Tools for Protecting Information Resources

Intrusion detection systems:

• Monitor hot spots on corporate networks to
detect and deter intruders
• Examines events as they are happening to
discover attacks in progress
Antivirus and antispyware software:
• Checks computers for presence of malware
and can often eliminate it as well
• Require continual updating
Unified threat management (UTM) systems

Technologies and Tools for Protecting Information Resources

Public Key Encryption

A public key encryption system can be viewed as a series of public and private keys that lock data
FIGURE 8-6 when they are transmitted and unlock the data when they are received. The sender locates the
recipient’s public key in a directory and uses it to encrypt a message. The message is sent in
encrypted form over the Internet or a private network. When the encrypted message arrives, the
recipient uses his or her private key to decrypt the data and read the message.

13
 12/4/2021

Technologies and Tools for Protecting Information Resources

Security in the cloud

• Responsibility for security resides with company
owning the data
• Firms must ensure providers provides adequate
protection
• Service level agreements (SLAs)
Securing wireless networks
• Assigning unique name to network’s SSID and not
broadcasting SSID
• Continually changing keys
• Encrypted authentication system with central server

THANKS!
Do you have any questions?

CREDITS: This presentation template was created

by Slidesgo, including icons by Flaticon,
infographics & images by Freepik and
illustrations by Stories

14