09 - System Security
09 - System Security
SYSTEMS
SECURITY
1
12/4/2021
Learning Objectives
● Why are information systems
vulnerable to destruction, error,
and abuse?
● What is the business value of
security and control?
● What are the components of an
organizational framework for
SECURITY security and control?
● What are the most important tools
and technologies for safeguarding
information resources?
Security:
Policies, procedures and technical measures
used to prevent unauthorized access,
alteration, theft, or physical damage to
information systems
Controls:
Methods, policies, and organizational
procedures that ensure safety of organization’s
assets; accuracy and reliability of its
accounting records; and operational adherence
to management standards
2
12/4/2021
Spoofing:
Misrepresenting oneself by using fake e-mail
addresses or masquerading as someone else
Redirecting Web link to address different from
intended one, with site masquerading as
intended destination
Sniffer:
Eavesdropping program that monitors
information traveling over network
Enables hackers to steal proprietary information
such as e-mail, company files, etc.
• Accessibility of networks
• Hardware problems (breakdowns, configuration
errors, damage from improper use or crime)
• Software problems (programming errors, installation
errors, unauthorized changes)
• Disasters
• Use of networks/computers outside of firm’s control
• Loss and theft of portable devices
3
12/4/2021
FIGURE 8-1 The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked
to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and
other electrical problems can cause disruptions at any point in the network.
Internet Vulnerabilities
4
12/4/2021
Worms Spyware
Independent computer programs Small programs install themselves
that copy themselves from one surreptitiously on computers to
computer to other computers over a monitor user Web surfing activity and
network. serve up advertising
5
12/4/2021
• Computer crime
Defined as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration,
investigation, or prosecution”
• Computer may be target of crime, e.g.:
• Breaching confidentiality of protected computerized data
• Accessing a computer system without authority
• Computer may be instrument of crime, e.g.:
• Theft of trade secrets
• Using e-mail for threats or harassment
6
12/4/2021
7
12/4/2021
Electronic evidence:
• Evidence for white collar crimes often in digital form
• Data on computers, e-mail, instant messages, e-
commerce transactions
• Proper control of data can save time and money when
responding to legal discovery request
Computer forensics:
• Scientific collection, examination, authentication,
preservation, and analysis of data from computer
storage media for use as evidence in court of law
• Includes recovery of ambient and hidden data
8
12/4/2021
General controls
• Govern design, security, and use of computer
programs and security of data files in general
throughout organization’s information technology
infrastructure.
• Apply to all computerized applications
• Combination of hardware, software, and manual
procedures to create overall control environment
9
12/4/2021
Security policy
• Ranks information risks, identifies acceptable security
goals, and identifies mechanisms for achieving these
goals
• Drives other policies
• Acceptable use policy (AUP)
Defines acceptable uses of firm’s information
resources and computing equipment
• Authorization policies
Determine differing levels of user access to
information assets
10
12/4/2021
Authentication
• Password systems
• Tokens
• Smart cards
• Biometric authentication
11
12/4/2021
Firewall:
• Combination of hardware and software that
prevents unauthorized users from accessing
private networks
• Technologies include:
• Static packet filtering
• Network address translation (NAT)
• Application proxy filtering
A CORPORATE
FIREWALL
FIGURE 8-5
12
12/4/2021
A public key encryption system can be viewed as a series of public and private keys that lock data
FIGURE 8-6 when they are transmitted and unlock the data when they are received. The sender locates the
recipient’s public key in a directory and uses it to encrypt a message. The message is sent in
encrypted form over the Internet or a private network. When the encrypted message arrives, the
recipient uses his or her private key to decrypt the data and read the message.
13
12/4/2021
THANKS!
Do you have any questions?
14